I was working with a particular system where the vendor added a strict password security policy. They require a mixture of uppercase and lowercase letters as well as at least one digit or special character. Later on, I discovered, by accident, that the password is not case sensitive when you actually go to login. It turns out that the routine for setting the password enforces stronger passwords than the underlying system can actually support. The vendor, of course, claimed that they would be upgrading their underlying password encryption algorithm very soon.
I guess I'll put in my 2 cents about experience with Dell support.
Enterprise server support: Excellent.
Enterprise desktop support: They often make you spend a lot of time detailing the problem (sometimes multiple calls) but they always come through in the end.
Home/consumer support: Mixed - sometimes good, sometimes horrible and everything in between.
Exactly! I think the Chinese government has handed their dissidents an excellent method of protest. Besides having people exchange tickets, you could try a mix of other techniques to disrupt the process. You could have pickpockets swap the tickets for other attendees. You could destroy the RFIDs in other tickets. I hear that it only takes a small amount of microwaving to destroy an RFID.
For the most part, actually cracking cryptography is not worth it, especially so in the case of PGP and GPG. It's usually much easier to use some kind of chosen text attack because people seldom use the strongest possible passwords. Other options include things like keyloggers to capture the password or social engineering.
I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.
ddrescue is an open source disk recovery tool based on dd. It can make a disk image from any kind of disk, regardless of format and it is designed to be very robust reading through bad blocks as you're likely to have on disks that old. You just need to have a floppy drive to connect to. ddrescue will compile and run on Linux, OS X and maybe Cygwin.
Once you have a disk image, Foremost can extract files from it. It is also open source and can be compiled and run on many different platforms and doesn't care about the filesystem on the disk image (or original disk). It searches for files based on header information. If need be, you can edit what header information it looks for. Since your BASIC source code is, presumably, ASCII text files, it shouldn't be a problem.
What if DRM is just the excuse for the call home feature and what they really want is marketing data about how long the software installed and where? They could, possibly, transmit other data as well. If they encrypt transmission then you can't tell what information they are sending. If they don't encrypt then a third party can intercept the information and use it for their marketing.
If stockholders come to MS for a bailout of their capital, they don't even need a hostile takeover -- it will be a willing one. And the profits Yahoo posts from Google won't reflect in their stock price for a while.
I don't think that's true. Stock prices usually respond in anticipation of an event. Investors know that this is going to happen so they have already factored it into their willingness to buy or sell. Later, when the event actually happens, the response in share price will be a correction to do with how well expectations were met.
...But all modern cars have embedded computer systems which help run components of the vehicle. Some of them must contain software which is subject to copyright and I wouldn't be surprised if there is a EULA among all that paperwork about the warranty. That's something to watch out for next time you buy a car.
You didn't RTFA, did you? The whole point is that Microsoft is promising a comparison of Windows vs. Linux and then pointing to studies which don't do that. One example study was only comparing a new version of Windows against an older version of Windows (typical Microsoft marketing). The other study was about a replacement of a network environment, which was mostly Windows but had a few Linux and Novell servers, with an all-Windows environment. They got some benefit from the conversion but that's no surprise because replaced very old versions of Windows with newer ones. For the Linux and Novell servers, they didn't even consider the possibility of upgrading them with newer versions of Linux. There was no bid from a Linux vendor to compare to.
On the other hand, suppose that communication based on quantum entanglement is such a small step in technology after basic radio that no one uses radio wave technologies for long -- maybe a century or two. An advanced civilization, even if they do receive our radio communication, may decide that it would be faster to wait until we can talk by quantum entanglement.
According to a computer forensics textbook, which I have at home (or I would post the citation), they would send it out to an expert on that OS. There are various forensics labs which specialize in different OS and device types. It's not just desktop OSes, there are all those PDA and similar devices out there.
Flash media, like compact flash cards, are supposed to be very shock resistant compared to hard drives. That would give these SSD drives a big advantage in machines designed to be very rugged.
I think it's about seeing that the project does not end up dependent on a proprietary software developer, whether it's Microsoft or Apple. If the project ends up primarily using proprietary software for the OS then they end up being dependent on that vendor to keep supporting the project in the future. With Open Source, you have support as long as there is community interest.
You would have to be careful not to repeat the mistakes of the Welchia worm. This is a worm destroying worm which attempts to remove the MS Blaster worm and download and install the patch for the vulnerability which MS Blaster (and Welchia itself) uses to infect computers. The problem is that Welchia disrupted network activity and caused PCs to reboot a unexpected times to complete instillation of the security patch. It is, therefore, considered to be malware and is removed by all the major antivirus products.
WinCE and WUS (Windows Update Server) are good examples too although both have since been replaced with other names. Just pronounce the acronyms as words.
We use Active Directory as well. Each AD configuration is a bit different and some are more Mac friendly than others. You can get Macs to integrate with ours but it's some work. In practice, the vast majority of Macs aren't in the AD and most Mac users don't see the point. In a few cases, however, there's a specific reason related to how a Mac is used which makes it a big advantage to use AD and then we make the effort to integrate it.
Things will get interesting when Sprint WiMax service lights up in Chicago later this year.
They could build a Faraday cage around the classroom. I've heard that the wire mesh used for some forms of stucco can make a Faraday cage that will block cell phone signals. There's a restaurant in my area where that happened by accident and many of the customers like it and go there when they want to be off the grid for a while.
I am currently looking for a new job because my supervisor isn't letting me do what I think is necessary for security. I have several things related to HIPAA compliance and basic security on my to-do list and my supervisor acknowledges that these things need to be done but keeps putting other projects, which I would consider lower priority, ahead of security. It's not just that. What happened recently is that they decided to lay off some people and just did it without consulting anyone about the technical consequences. Ethically, they should have talked to us and asked for volunteers. Practically, that would have led to a discussion of how to manage each system without this person or that person.
It's a bad time, in terms of the economy, to be looking for a new job but, once I find one, I will state, in my letter of resignation, that one of the reasons I'm leaving is that I consider it to be a hazard to my career to be responsible for security under these conditions. I'm the only CISSP in the organization and if they won't accept my expert opinion or act on it then I'm outta here.
My point, exactly, was that the previous poster was basing his statement about Symantec on the consumer version of Symantec Internet Security while I was talking about my experience with Symantec and the Enterprise Edition of Symantec AV. We were talking about two completely different products. I guess that wasn't as clear as I intended.
We actually do use both Sophos and SymantecAV already (on different machines). Sophos supports many more platforms than Symantec and Mcafee do so we use Shophos where we can't use Symantec. In practice, this is mostly special cases like mail servers which run a commercial version of UNIX.
No, no, no. Synmatec Internet Security usually happens as a pre-installed "90-days trial" after which you can reinstall Windows to get rid of it. Or when you buy an "Internet Security" option from your ISP, which will happily send you Norton install CDs every year.
I see. You're talking about the consumer version and I'm talking about the Enterprise Edition. In hindsight, it may have been interesting to question the Symantec people about why we, as an institution, should trust them when they treat consumers so badly.
It is also interesting to note that, when a representative from Sophos told us that their product was incompatible with Symantec AV and we had to use one or the other, not both, one of our sysadmins mentioned the difficulty we had in removing Symantec AV. The Sophos guy said that their installer could completely and safely remove Symantec AV and that they couldn't call themselves much of an AV company if they couldn't remove their competitor's product.
[Symantec has] " done more to reduce internet security than most, with bloated, unusable virus checkers..."
I suppose there is some grain of truth to this but it's a bit extreme to go that far. Symantec does have competitors and those competitors would have taken over if Symantec was really that bad. There are commercial offerings like MacAfee and Sophos (for institutional use) and there is at least one open source offering - ClamAV.
I recently participated in a review of antivirus software at my employer which is a large institution. We looked at all the possibilities, including not using antivirus (more of an option for Mac than Windows) and we looked at all the problems with bugs, central management glitches and software conflicts. To make a long story short, we ended up deciding to stick with Symantec, at least for now. It's not perfect but the benefits do outweigh the problems.
It is unfortunate that there is so much emphasis on reactive security like antivirus when we should be, at least, looking for proactive measures as much as possible. Still, you have to use what's available to combat the threats that are known.
Slashdot Mirror
I was working with a particular system where the vendor added a strict password security policy. They require a mixture of uppercase and lowercase letters as well as at least one digit or special character. Later on, I discovered, by accident, that the password is not case sensitive when you actually go to login. It turns out that the routine for setting the password enforces stronger passwords than the underlying system can actually support. The vendor, of course, claimed that they would be upgrading their underlying password encryption algorithm very soon.
I guess I'll put in my 2 cents about experience with Dell support.
Enterprise server support: Excellent.
Enterprise desktop support: They often make you spend a lot of time detailing the problem (sometimes multiple calls) but they always come through in the end.
Home/consumer support: Mixed - sometimes good, sometimes horrible and everything in between.
Exactly! I think the Chinese government has handed their dissidents an excellent method of protest. Besides having people exchange tickets, you could try a mix of other techniques to disrupt the process. You could have pickpockets swap the tickets for other attendees. You could destroy the RFIDs in other tickets. I hear that it only takes a small amount of microwaving to destroy an RFID.
For the most part, actually cracking cryptography is not worth it, especially so in the case of PGP and GPG. It's usually much easier to use some kind of chosen text attack because people seldom use the strongest possible passwords. Other options include things like keyloggers to capture the password or social engineering.
I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.
ddrescue is an open source disk recovery tool based on dd. It can make a disk image from any kind of disk, regardless of format and it is designed to be very robust reading through bad blocks as you're likely to have on disks that old. You just need to have a floppy drive to connect to. ddrescue will compile and run on Linux, OS X and maybe Cygwin.
Once you have a disk image, Foremost can extract files from it. It is also open source and can be compiled and run on many different platforms and doesn't care about the filesystem on the disk image (or original disk). It searches for files based on header information. If need be, you can edit what header information it looks for. Since your BASIC source code is, presumably, ASCII text files, it shouldn't be a problem.
What if DRM is just the excuse for the call home feature and what they really want is marketing data about how long the software installed and where? They could, possibly, transmit other data as well. If they encrypt transmission then you can't tell what information they are sending. If they don't encrypt then a third party can intercept the information and use it for their marketing.
Here are a couple of sources on those prefixes which TFA seems to have confused. They agree with each other:
SearchStorage Definitions
Extreme prefixes
This last one mentions even higher prefixes like vendeka (10^33).
I don't think that's true. Stock prices usually respond in anticipation of an event. Investors know that this is going to happen so they have already factored it into their willingness to buy or sell. Later, when the event actually happens, the response in share price will be a correction to do with how well expectations were met.
...But all modern cars have embedded computer systems which help run components of the vehicle. Some of them must contain software which is subject to copyright and I wouldn't be surprised if there is a EULA among all that paperwork about the warranty. That's something to watch out for next time you buy a car.
You didn't RTFA, did you? The whole point is that Microsoft is promising a comparison of Windows vs. Linux and then pointing to studies which don't do that. One example study was only comparing a new version of Windows against an older version of Windows (typical Microsoft marketing). The other study was about a replacement of a network environment, which was mostly Windows but had a few Linux and Novell servers, with an all-Windows environment. They got some benefit from the conversion but that's no surprise because replaced very old versions of Windows with newer ones. For the Linux and Novell servers, they didn't even consider the possibility of upgrading them with newer versions of Linux. There was no bid from a Linux vendor to compare to.
On the other hand, suppose that communication based on quantum entanglement is such a small step in technology after basic radio that no one uses radio wave technologies for long -- maybe a century or two. An advanced civilization, even if they do receive our radio communication, may decide that it would be faster to wait until we can talk by quantum entanglement.
According to a computer forensics textbook, which I have at home (or I would post the citation), they would send it out to an expert on that OS. There are various forensics labs which specialize in different OS and device types. It's not just desktop OSes, there are all those PDA and similar devices out there.
Flash media, like compact flash cards, are supposed to be very shock resistant compared to hard drives. That would give these SSD drives a big advantage in machines designed to be very rugged.
The server units don't seem any more radical than a Mac Mini and there are many small NAS units that have been around for a long time.
I think it's about seeing that the project does not end up dependent on a proprietary software developer, whether it's Microsoft or Apple. If the project ends up primarily using proprietary software for the OS then they end up being dependent on that vendor to keep supporting the project in the future. With Open Source, you have support as long as there is community interest.
You would have to be careful not to repeat the mistakes of the Welchia worm. This is a worm destroying worm which attempts to remove the MS Blaster worm and download and install the patch for the vulnerability which MS Blaster (and Welchia itself) uses to infect computers. The problem is that Welchia disrupted network activity and caused PCs to reboot a unexpected times to complete instillation of the security patch. It is, therefore, considered to be malware and is removed by all the major antivirus products.
WinCE and WUS (Windows Update Server) are good examples too although both have since been replaced with other names. Just pronounce the acronyms as words.
We use Active Directory as well. Each AD configuration is a bit different and some are more Mac friendly than others. You can get Macs to integrate with ours but it's some work. In practice, the vast majority of Macs aren't in the AD and most Mac users don't see the point. In a few cases, however, there's a specific reason related to how a Mac is used which makes it a big advantage to use AD and then we make the effort to integrate it.
If you encrypt with a new salt value each time an update is performed, that makes the process much more difficult to work around.
I am currently looking for a new job because my supervisor isn't letting me do what I think is necessary for security. I have several things related to HIPAA compliance and basic security on my to-do list and my supervisor acknowledges that these things need to be done but keeps putting other projects, which I would consider lower priority, ahead of security. It's not just that. What happened recently is that they decided to lay off some people and just did it without consulting anyone about the technical consequences. Ethically, they should have talked to us and asked for volunteers. Practically, that would have led to a discussion of how to manage each system without this person or that person.
It's a bad time, in terms of the economy, to be looking for a new job but, once I find one, I will state, in my letter of resignation, that one of the reasons I'm leaving is that I consider it to be a hazard to my career to be responsible for security under these conditions. I'm the only CISSP in the organization and if they won't accept my expert opinion or act on it then I'm outta here.
My point, exactly, was that the previous poster was basing his statement about Symantec on the consumer version of Symantec Internet Security while I was talking about my experience with Symantec and the Enterprise Edition of Symantec AV. We were talking about two completely different products. I guess that wasn't as clear as I intended.
We actually do use both Sophos and SymantecAV already (on different machines). Sophos supports many more platforms than Symantec and Mcafee do so we use Shophos where we can't use Symantec. In practice, this is mostly special cases like mail servers which run a commercial version of UNIX.
It is also interesting to note that, when a representative from Sophos told us that their product was incompatible with Symantec AV and we had to use one or the other, not both, one of our sysadmins mentioned the difficulty we had in removing Symantec AV. The Sophos guy said that their installer could completely and safely remove Symantec AV and that they couldn't call themselves much of an AV company if they couldn't remove their competitor's product.