Are doctors unhappy too, then? Since they see problems constantly? What about the fact that we're in infosec to fix problems?
It seems to me like you've already started with the wrong perspective---already focusing on the negative.
It all comes down to the people you work with. Do they listen? Do they improve their organizations based on what you tell them? If so, then finding problems is a good thing. If not, then finding problems is a bad thing because it just adds to the list of things that will never be fixed.
Make the requisite changes so that you'll be listened to. This may mean changing positions, companies, or elevating your game, or all of the above. But when you get there the whole game will change.
I have a high-end one (2.0 or 2.16 Ghz *and* a 7200RPM SATA drive) on the way and it should be here by the end of the month. I'm going to do a full review as soon as humanly possible, and I'll be sure to post some Ironforge framerate stats (the most important benchmark ever).
We need to look at real world numbers here rather than vulnerability counts. How many of you have been called to friends and loved ones houses in order to clean their PCs that were infected through Firefox?
Anyone? I doubt it. So until we see massive numbers of systems getting rocked because of Firefox vulnerabilities, it's nothing but specious to claim that the security of the two are even comparible.
I hate to go somewhat off-topic, but it may be that you don't really need a firewall as much as an IPS.
Guess what an OpenBSD firewall is going to do for you when the next IIS exploit comes out? Nothing. How about a nice IPTABLES box? Nothing. Why? Because you're passing the ports back.
If a services isn't necessary, turn it off. If it *is* necessary, then you're going to have to pass the ports back to it THROUGH the firewall. At that point, anything malicious coming down that connection might as well not be firewalled.
Back when I was an admin, I used to run BlackIce on my Windows servers. It sounds lame, I know, but it was a highly effective solution. Not only did it do some rudimentary firewalling for me, but it actually stopped malicious traffic that had to be allowed by any firewall -- since it was a server.
Remember, firewalls are good at blocking things, but that's not always an option -- especially when running servers. If you have an option to block something completely, just disable the service and be done with it. If you don't have that option, and you have to allow access to the service, look into an IPS.
Think of it this way -- if you pass a port through 15 non-proxying, non-application-based firewalls, you didn't gain anything. You might as well have had a wide open connection to the Internet on that port. That's where an IPS or other application-data viewing system comes in.
It's important to realize that you're only vulnerable to this issue if you're *not* doing integrity checking via IPSEC. Most major VPN infrastructures I run across use ESP with both confidentiality *and* integrity functionality enabled (some use AH as well). If that's the case for network x, then network x has nothing to fear from this.
Always read vulnerability details; people love to sensationalize stuff like this to the extreme.
Perhaps to some degree, but many here forget that Microsoft has good products and is not completely worthless. Most like to bash, bash, bash them for any and every product they have. I don't.
I'm making the distinction between their offerings and their dealings with the world. I don't hear that point of view very often here, so I thought it would be worthwhile to mention.
It's not trolling if there is a real point being made other than to incite hostility and debate. My point is clear: Microsoft has a lot to offer by way of products, but they turn people off by being so deceitful when dealing with competition.
If you think a comment along those lines is trolling, I suggest you take another look at the definition.
These people make me sick. It's stories like this that make me realize why Microsoft is the object of so much hate. It's not because of their products, it's all about how they deal with competition.
I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.
What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.
When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.
"This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128."
Comparably secure? The Rijndael algorithm has been around for a pretty long time and has undergone a lot of scrutiny. Wait until this new kid has been around the block for a few years; then we talk about comparisons to Rijndael.
"You keep using this word. I don't think it means what you think it means."
This is big. As the parent touched on, the possibility of "Google OS" is definitely real. It would be utterly non-trivial, to be sure, but if anyone can pull it off, it's Google. Between their cooperation with the Firefox project and now the acquisition of a key Microsoft architect, the sky is the limit for this group.
I'm sorry to inform you that Bayesian is no longer a techno-buzz-word. Last year, it was acceptable to apply the word Bayesian to any sort of stastical process and sound like a genius.
Ah, you belong here at Slashdot. Your sense of sarcasm is highly tuned. Unfortunately, I think this is like Bayesian Inference.
From Wikipedia: Bayesian inference is statistical inference in which probabilities are interpreted not as frequencies or proportions or the like, but rather as degrees of belief.
I can't help but see the similarities between taking in a bunch of evidence and subconcsiously adjusting how much you believe you are in danger as a result. In Bayesian spam filtering, there are values assigned to how dangerous a given input is already, and this is obviously not as clear in the case of a human brain doing the same to given environemental conditions, but the similarity is still interesting.
We obviously can't say this is exactly like Bayesian filtering, since we don't know how it works for humans exactly; the point is, the human mind appears to be incrementally adjusting its perception of danger according to various dynamic variables. If you can't see the similarity there, then relax a bit -- you're trying too hard to be the sarcasm-weilding, skeptical guy that loves nothing more than going on the attack.
...rather than a sixth sense. Just as many have pointed out, it's still the 5 senses that are doing the input gathering here -- it's just that another part of the brain is doing some number crunching.
I liken it to Bayesian because it seems to be based on analyzing what happened in the past in order to attempt to predict what is *going* to happen in the future.
For spam: Stuff with these characters are often spam, let's bump this score up a bit. For danger: Everytime x happens, y seems to happen afterwards, so I should flee.
This isn't magic, guys. It's just another advantage of the subconcious doing work behind the scenes./., like Wired, is just prone to blowing these sorts of stories out of proportion.
I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.
Don't dismiss them as a security company; we've only seen the beginning.
3 Books You Should Put On Your List
on
Blink
·
· Score: 3, Interesting
" I've been thinking about getting one and syching it with OS X. How well have you been finding it works?"
Yes, it seems to be working quite nicely. Alarmed events from iCal don't come over with alarms in the device (unless I'm missing something), but other than that it seems pretty decent.
This doesn't surprise me. I am selling my T3 Tungsten Palm right now, and it's because I just don't use it. I mean, I *want* to use it, or, more accurately, I want to *need* to use it, but it's just not something I keep with me constantly.
I am torn between being geeky and liking tons of devices, but also moving toward simplification as a central theme in my life. Simplication, in the world of gadgets, unfortunately means using a single, do-it-all device. That for me equates to my Blackberry, which I am now syncing with my OS X machine (I refuse to be a M** person).
Anyway, that's the trend I think -- single devices doing everything. Few people want to lug around multiple contraptions.
This book is absolutely awesome. I haven't even finished it yet (procrastination), but I have already implemented a few nuggets I've picked up, with great results. I strongly suggest this text for anyone who feels they have time management issues.
Also, here's a nifty diagram related to the system that will make sense once you read the book.
My thoughts exactly. The focus for many on the anti-MS side of things is not the fact that there are vulnerabilities, it's how they are handled. Grats to MS for tackling this one.
Slashdot Mirror
Are doctors unhappy too, then? Since they see problems constantly? What about the fact that we're in infosec to fix problems?
It seems to me like you've already started with the wrong perspective---already focusing on the negative.
It all comes down to the people you work with. Do they listen? Do they improve their organizations based on what you tell them? If so, then finding problems is a good thing. If not, then finding problems is a bad thing because it just adds to the list of things that will never be fixed.
Make the requisite changes so that you'll be listened to. This may mean changing positions, companies, or elevating your game, or all of the above. But when you get there the whole game will change.
I have a high-end one (2.0 or 2.16 Ghz *and* a 7200RPM SATA drive) on the way and it should be here by the end of the month. I'm going to do a full review as soon as humanly possible, and I'll be sure to post some Ironforge framerate stats (the most important benchmark ever).
We need to look at real world numbers here rather than vulnerability counts. How many of you have been called to friends and loved ones houses in order to clean their PCs that were infected through Firefox?
Anyone? I doubt it. So until we see massive numbers of systems getting rocked because of Firefox vulnerabilities, it's nothing but specious to claim that the security of the two are even comparible.
I hate to go somewhat off-topic, but it may be that you don't really need a firewall as much as an IPS.
Guess what an OpenBSD firewall is going to do for you when the next IIS exploit comes out? Nothing. How about a nice IPTABLES box? Nothing. Why? Because you're passing the ports back.
If a services isn't necessary, turn it off. If it *is* necessary, then you're going to have to pass the ports back to it THROUGH the firewall. At that point, anything malicious coming down that connection might as well not be firewalled.
Back when I was an admin, I used to run BlackIce on my Windows servers. It sounds lame, I know, but it was a highly effective solution. Not only did it do some rudimentary firewalling for me, but it actually stopped malicious traffic that had to be allowed by any firewall -- since it was a server.
Remember, firewalls are good at blocking things, but that's not always an option -- especially when running servers. If you have an option to block something completely, just disable the service and be done with it. If you don't have that option, and you have to allow access to the service, look into an IPS.
Think of it this way -- if you pass a port through 15 non-proxying, non-application-based firewalls, you didn't gain anything. You might as well have had a wide open connection to the Internet on that port. That's where an IPS or other application-data viewing system comes in.
It's important to realize that you're only vulnerable to this issue if you're *not* doing integrity checking via IPSEC. Most major VPN infrastructures I run across use ESP with both confidentiality *and* integrity functionality enabled (some use AH as well). If that's the case for network x, then network x has nothing to fear from this.
Always read vulnerability details; people love to sensationalize stuff like this to the extreme.
I'm making the distinction between their offerings and their dealings with the world. I don't hear that point of view very often here, so I thought it would be worthwhile to mention.
It's not trolling if there is a real point being made other than to incite hostility and debate. My point is clear: Microsoft has a lot to offer by way of products, but they turn people off by being so deceitful when dealing with competition.
If you think a comment along those lines is trolling, I suggest you take another look at the definition.
These people make me sick. It's stories like this that make me realize why Microsoft is the object of so much hate. It's not because of their products, it's all about how they deal with competition.
I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.
What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.
When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.
So DES is the same then too? I think there is a significant jump between being proven to be relatively secure and simply not having been broken yet.
"You keep using this word. I don't think it means what you think it means."
...you can't go wrong with a Mitnick story.
This is big. As the parent touched on, the possibility of "Google OS" is definitely real. It would be utterly non-trivial, to be sure, but if anyone can pull it off, it's Google. Between their cooperation with the Firefox project and now the acquisition of a key Microsoft architect, the sky is the limit for this group.
I'm sorry to inform you that Bayesian is no longer a techno-buzz-word. Last year, it was acceptable to apply the word Bayesian to any sort of stastical process and sound like a genius.
Ah, you belong here at Slashdot. Your sense of sarcasm is highly tuned. Unfortunately, I think this is like Bayesian Inference.
From Wikipedia: Bayesian inference is statistical inference in which probabilities are interpreted not as frequencies or proportions or the like, but rather as degrees of belief.
I can't help but see the similarities between taking in a bunch of evidence and subconcsiously adjusting how much you believe you are in danger as a result. In Bayesian spam filtering, there are values assigned to how dangerous a given input is already, and this is obviously not as clear in the case of a human brain doing the same to given environemental conditions, but the similarity is still interesting.
We obviously can't say this is exactly like Bayesian filtering, since we don't know how it works for humans exactly; the point is, the human mind appears to be incrementally adjusting its perception of danger according to various dynamic variables. If you can't see the similarity there, then relax a bit -- you're trying too hard to be the sarcasm-weilding, skeptical guy that loves nothing more than going on the attack.
...rather than a sixth sense. Just as many have pointed out, it's still the 5 senses that are doing the input gathering here -- it's just that another part of the brain is doing some number crunching.
/., like Wired, is just prone to blowing these sorts of stories out of proportion.
I liken it to Bayesian because it seems to be based on analyzing what happened in the past in order to attempt to predict what is *going* to happen in the future.
For spam:
Stuff with these characters are often spam, let's bump this score up a bit.
For danger:
Everytime x happens, y seems to happen afterwards, so I should flee.
This isn't magic, guys. It's just another advantage of the subconcious doing work behind the scenes.
The network shouldn't trust the host, or any software running it it, to make network protection decisions that the network will blindly follow.
The alternative today is to do no such access control from a network standpoint. Don't let perfect be the enemy of vastly improved.
I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.
An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.
The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.
Don't dismiss them as a security company; we've only seen the beginning.
Blink
The Tipping Point
The Wisdom Of Crowds
" I've been thinking about getting one and syching it with OS X. How well have you been finding it works?"
Yes, it seems to be working quite nicely. Alarmed events from iCal don't come over with alarms in the device (unless I'm missing something), but other than that it seems pretty decent.
This doesn't surprise me. I am selling my T3 Tungsten Palm right now, and it's because I just don't use it. I mean, I *want* to use it, or, more accurately, I want to *need* to use it, but it's just not something I keep with me constantly.
I am torn between being geeky and liking tons of devices, but also moving toward simplification as a central theme in my life. Simplication, in the world of gadgets, unfortunately means using a single, do-it-all device. That for me equates to my Blackberry, which I am now syncing with my OS X machine (I refuse to be a M** person).
Anyway, that's the trend I think -- single devices doing everything. Few people want to lug around multiple contraptions.
"
I have OpenBSD on my firewall and main work machine. "
It's not the same box is it?
Yeah, here's a Broadband Reports Security thread about the incident.
I can't wait to hear what AA's response to Doctorow is.
This book is absolutely awesome. I haven't even finished it yet (procrastination), but I have already implemented a few nuggets I've picked up, with great results. I strongly suggest this text for anyone who feels they have time management issues.
Also, here's a nifty diagram related to the system that will make sense once you read the book.
True, but it wasn't a huge issue until the exploit code went public. They jumped on it once that happened and that's better than not at all.
...nice to see a quick move from MS.
My thoughts exactly. The focus for many on the anti-MS side of things is not the fact that there are vulnerabilities, it's how they are handled. Grats to MS for tackling this one.