If you don't know the current abilities of parachutes, now-a-day, you should do your research.
Shouldn't that be wingsuits? I should dearly hope that most people know the abilities of parachutes - they have been a regular plot device in the media for years.
ANYONE can make OSS, release it, and have 10k+ security holes in it.
...and therein lies a weakness. Sure if you take a major project like Apache or MySQL then they will be scrutinised very carefully, however one could also argue that this increases risk as a skilled hax0r could spot a potential exploit in a way they couldn't with closed source (which, I will wager is what happened with Santy). There are (obviously) arguments for and against closed / open source, however if I may remind you of your own comment:
At least with Linux, the community usually discovers them first and before the problem is made public there is already a patch available.
And we compare this to the Santy situation, sure - there was a patch and workaround issued quickly, however 670,000+ sites still got compromised; it doesn't matter how quickly a patch is issued - once a fast spreading worm is in the wild the only thing that is a working defence is good basic security principles, such as you already mentioned, setting correct file permissions. If a worm can cover the planet in 15 minutes you ain't going to be hearing about the exploit and patching your box in that time. We humans are simply too slow. There is no substitute for a skilled admin. As you say, the code is only as good as the coders, and if that code isn't being checked by anyone who is skilled enough to spot these problems and it's just so damn useful (i.e. phpBB) that it becomes popular and therefore gets installed by lots of people who don't apply basic security principles then we have all of the ingredients for a potentially serious problem.
I'm not having a go at you here, I'm merely pointing out that it is unwise to be lulled into a false sense of security just because one uses OSS.
There are that many defaced phpBB sites because not all users or hosters know about proper setting of file permissions.
...which is precisely my point. PHP4 is open source, phpBB is open source, Linux is open source, yet sites were compromised. Simply using OSS does not a secure system make.
I must be part of a study into this behaviour! It's the only explanation that makes sense - I was right all along - my users couldn't possibly be as stupid as they are! It's all a test to see how much I can take before I lose it!
Yes.. I see it all clearly now.. I must escape.. but they will be watching me...
If someone is going to quote an *exact* number in the title, then a different number in the body, then it's perfectly reasonable to question that number.
If the headline had been "China closes >1000 sites" then fair enough, but to mention a specific number in the headline, then to quote a different number in the body, should and does raise questions.
I agree completely - we do not allow admin or Power User rights on our systems, and typically if a machine has gator on it, it usually has other problems too. In fact I'll guarantee that if any machine has gator on it, it usually has LOTS of other problems.
Tracking the symptoms like this alerts me to these problems - running SpyBot on a machine never hurts, and I'll do other things too like have a script email me the list of adminstrators on the machine and perhaps change the password.
As for more malicious, I have used the same technique with Snort sensors around the network logging into a database. Another script queries the database and takes the appropriate action du jour - for example during Nimda I had scripts that would scan the database and clean infected machines.
Always worth putting in the extra time to automate these things as you have a solution for the future and can sit back and admire your work.
As for curing the symptoms and not the cause, this frees up my time to tackle the cause. If I ran around manually cleaning up systems my time would go nowhere.
I just RTA which is an interesting story. To be honest I've never played with Graphing Calculator, but then I only seriously got into Mac's after OSX.
After reading the article I wanted to play with the software, and found it under the old OS9 applications folder. It runs under Classic.
Looking a at the examples on the web page that have some really cool looking colour images that have been generated by math and wondering if I would be able to do that with my relatively limited math knowledge, I copied the basic example equation
x^2 - y^2 = 1
Into the calculator and pressed enter...
Version 1.3 can't graph equations of this form. Visit www.PacificT.com to order Version 3.
I have it so that if one of our firewalls detects an attempt to access gator.com it enrols the machine into an active directory system group which the SMS server queries to automatically de-spyware it with SpyBot.
I'd call that a self healing system. I'm a network admin though so my perception of these things tends to be on a larger scale.
Everyone knows that the only reason people use Linux is because we don't like paying for things - what makes anyone think we are going to start paying for music?
the free (yes, as in Freedom, who cares otherwise)
See, this is where it gets confusing - you equate 'free' (as in traditionally, 'beer') with 'Freedom' (note the capital there). Now are you referring to the US branded version of 'Freedom' which means 'you are free (to do what you are told)' or what?
You say it's a small company and I don't know if you have a PFY or anything.
Often it pays to not be too nice or at least not as nice as the other guy people can go to for "help". People will subconsciously go to the person they feel most comfortable talking to for help. Make sure it isn't you.
Users are stupid. This is a sad fact of life; look on the bright side - if they weren't, some of us would be out of a job.
Make sure you log requests in some form of Helpdesk as evidence. The people who repeatedly ask the same questions over and over need to be tracked and recommendations for training should be made to their manager or relevant department. After all it's 'good for the company'. 'Training' is one of the biggest sticks we wield. Learn to use it well. You wan't people to fear being sent on training and to be motivated to spend time actually reading that dialogue box.
Users are lazy and will follow the easiest path. Don't be easy to get hold of. If it's easier to call you than engage one's brain and actually think then guess which one they are going to do? Work on making coming to you more work than resolving the problem themselves. Don't reset passwords too quickly. They will complain to their manager that they can't do any work and blame you. Point out the 50 or so times the person forgets their password a week and recommend training. Remember you are an easy target to blame for incompetent workers. Always put the responsibility back onto the user by giving them something to do before you can do your bit.
It's a stressful job. About the best way to deal with it is learn to not use logic or think rationally. Think of users as pets; for example, if a dog craps in the street you wouldn't spend time getting upset about it and worrying why it did it - it's a dog - it's what dogs do. You just have to accept it and get on with it - there is no higher thought process at work here. If it's a problem then you have to be prepared for it.
Above all, never, NEVER give out your cell phone number or fix a computer someone brings in from home.
Slashdot Mirror
...but if we all submit to biometric ID cards, sub-dermal RFID chips and CCTV in every home, then Earth can't be hit by asteroids right?
I mean - we all know that it's terrorists launching asteroids at the Earth.
If you don't know the current abilities of parachutes, now-a-day, you should do your research.
Shouldn't that be wingsuits? I should dearly hope that most people know the abilities of parachutes - they have been a regular plot device in the media for years.
oops - that wasn't your comment I was referring to - forgive me.
ANYONE can make OSS, release it, and have 10k+ security holes in it.
...and therein lies a weakness. Sure if you take a major project like Apache or MySQL then they will be scrutinised very carefully, however one could also argue that this increases risk as a skilled hax0r could spot a potential exploit in a way they couldn't with closed source (which, I will wager is what happened with Santy). There are (obviously) arguments for and against closed / open source, however if I may remind you of your own comment:
At least with Linux, the community usually discovers them first and before the problem is made public there is already a patch available.
And we compare this to the Santy situation, sure - there was a patch and workaround issued quickly, however 670,000+ sites still got compromised; it doesn't matter how quickly a patch is issued - once a fast spreading worm is in the wild the only thing that is a working defence is good basic security principles, such as you already mentioned, setting correct file permissions. If a worm can cover the planet in 15 minutes you ain't going to be hearing about the exploit and patching your box in that time. We humans are simply too slow. There is no substitute for a skilled admin. As you say, the code is only as good as the coders, and if that code isn't being checked by anyone who is skilled enough to spot these problems and it's just so damn useful (i.e. phpBB) that it becomes popular and therefore gets installed by lots of people who don't apply basic security principles then we have all of the ingredients for a potentially serious problem.
I'm not having a go at you here, I'm merely pointing out that it is unwise to be lulled into a false sense of security just because one uses OSS.
...so long as the computer you're using can be trusted.
Well that rules out Windows then.
There are that many defaced phpBB sites because not all users or hosters know about proper setting of file permissions.
...which is precisely my point. PHP4 is open source, phpBB is open source, Linux is open source, yet sites were compromised. Simply using OSS does not a secure system make.
...but Linux is just a kernel. Would your thinking protect against the Santy worm? (on all platforms - including Linux)
If so, how come as I write there are 670,000+ defaced sites?
Now what if someone had included zombie code in perl?
I'm not dissing Linux here but open source is not the holy grail of security. Something, somewhere, is always going to be a problem.
I must be part of a study into this behaviour! It's the only explanation that makes sense - I was right all along - my users couldn't possibly be as stupid as they are! It's all a test to see how much I can take before I lose it!
Yes.. I see it all clearly now.. I must escape.. but they will be watching me...
*foam at mouth*
I'm still waiting...
See that's your mistake - they NEVER come to you. If you want one, you can have one. You just have to put in a bit of effort.
Firstly, ask yourself this question - "What are you doing to get one?"
If someone is going to quote an *exact* number in the title, then a different number in the body, then it's perfectly reasonable to question that number.
If the headline had been "China closes >1000 sites" then fair enough, but to mention a specific number in the headline, then to quote a different number in the body, should and does raise questions.
What more can one ask?
That 51% of Americans grow a brain?
I agree completely - we do not allow admin or Power User rights on our systems, and typically if a machine has gator on it, it usually has other problems too. In fact I'll guarantee that if any machine has gator on it, it usually has LOTS of other problems.
Tracking the symptoms like this alerts me to these problems - running SpyBot on a machine never hurts, and I'll do other things too like have a script email me the list of adminstrators on the machine and perhaps change the password.
As for more malicious, I have used the same technique with Snort sensors around the network logging into a database. Another script queries the database and takes the appropriate action du jour - for example during Nimda I had scripts that would scan the database and clean infected machines.
Always worth putting in the extra time to automate these things as you have a solution for the future and can sit back and admire your work.
As for curing the symptoms and not the cause, this frees up my time to tackle the cause. If I ran around manually cleaning up systems my time would go nowhere.
It's happened before (rover getting cleaned) and it will continue to happen.
It rains on Mars.
I just RTA which is an interesting story. To be honest I've never played with Graphing Calculator, but then I only seriously got into Mac's after OSX.
After reading the article I wanted to play with the software, and found it under the old OS9 applications folder. It runs under Classic.
Looking a at the examples on the web page that have some really cool looking colour images that have been generated by math and wondering if I would be able to do that with my relatively limited math knowledge, I copied the basic example equation
x^2 - y^2 = 1
Into the calculator and pressed enter...
Version 1.3 can't graph equations of this form. Visit www.PacificT.com to order Version 3.
If scripts replace kiddies, will we call them Kiddie Scripts?
What will we do when the scripts start generating mutated offspring?
I have it so that if one of our firewalls detects an attempt to access gator.com it enrols the machine into an active directory system group which the SMS server queries to automatically de-spyware it with SpyBot.
I'd call that a self healing system. I'm a network admin though so my perception of these things tends to be on a larger scale.
Everyone knows that the only reason people use Linux is because we don't like paying for things - what makes anyone think we are going to start paying for music?
*tsk*
You mean like 10.3.5 breaking systems that use a list of names to log in to a network server?
In other news - tablet PC screen protector sales expected to surge.
..to the submitter for not writing "Legos ".
It really annoys me when people do that.
the free (yes, as in Freedom, who cares otherwise)
See, this is where it gets confusing - you equate 'free' (as in traditionally, 'beer') with 'Freedom' (note the capital there). Now are you referring to the US branded version of 'Freedom' which means 'you are free (to do what you are told)' or what?
Who do you want to be today?
Simply place it in a cage that only you have the keys to. When you want to use the PC, unlock the cage, go in, lock the cage.
Problem solved.
You could always substitute 'cage' for 'room'.
I tried that - I sent:
"Vote democrat"
I got a reply:
"Nothing happens."
With a footnote that to keep playing the VBM I had to pay the monthly fee.
You say it's a small company and I don't know if you have a PFY or anything.
Often it pays to not be too nice or at least not as nice as the other guy people can go to for "help". People will subconsciously go to the person they feel most comfortable talking to for help. Make sure it isn't you.
Users are stupid. This is a sad fact of life; look on the bright side - if they weren't, some of us would be out of a job.
Make sure you log requests in some form of Helpdesk as evidence. The people who repeatedly ask the same questions over and over need to be tracked and recommendations for training should be made to their manager or relevant department. After all it's 'good for the company'. 'Training' is one of the biggest sticks we wield. Learn to use it well. You wan't people to fear being sent on training and to be motivated to spend time actually reading that dialogue box.
Users are lazy and will follow the easiest path. Don't be easy to get hold of. If it's easier to call you than engage one's brain and actually think then guess which one they are going to do? Work on making coming to you more work than resolving the problem themselves. Don't reset passwords too quickly. They will complain to their manager that they can't do any work and blame you. Point out the 50 or so times the person forgets their password a week and recommend training. Remember you are an easy target to blame for incompetent workers. Always put the responsibility back onto the user by giving them something to do before you can do your bit.
It's a stressful job. About the best way to deal with it is learn to not use logic or think rationally. Think of users as pets; for example, if a dog craps in the street you wouldn't spend time getting upset about it and worrying why it did it - it's a dog - it's what dogs do. You just have to accept it and get on with it - there is no higher thought process at work here. If it's a problem then you have to be prepared for it.
Above all, never, NEVER give out your cell phone number or fix a computer someone brings in from home.