One of the people at the White House Office of Cybersecurity told me an interesting story once.
About 2 years ago he was at a briefing of high mucky-mucks where Gates was pitching all of the Good Things (TM) that.NET was going to be.
My friend was in one of the front rows, not twenty feet from Gates. He knew that if he raised his hand, Gates couldn't ignore him.
So he waited for a few reporters to ask their usual lame questions and then made his move: "Bill, how in the hell are you going to secure all of this?"
He says that Gates's eyes glassed over and his knuckles, where he'd been gripping the edges of the podium, turned white. He spent the next several minutes rambling about QOS -- yes, QOS was going to secure.NET!
There is more to this story that I wish I could tell. Suffice it to say that the White House cybersecurity people (including Howard Schmidt, who was recently vilified here) are not as stupid as slashdotters think they are. These men will never reveal in public their true opinion of Micro$oft, but they have spoken to me in private about it. They're not as far away from our opinions as you think.
You might think about doing a little bit of research before shooting your mouths off.
First of all, his name is Howard Schmidt, not George.
Secondly, while he did work for the Borg for a while, he was never assimilated. He was not very happy there.
Third, there is a real proposal on the table to give IP addresses to pacemakers. Considering the current level of security in networks, this should scare you. It certainly scares Howard.
So my earlier question stands, why not (a) use something else if it is so insecure or (b) demand Microsoft fix it. Why is it the US government's job to do a private company's job for them?
Let's see if I can explain this. I am going to type very slowly and use small words so that you can understand.
This is not the government doing a private company's job for them. The Government is not spending any money patching Micro$oft's bugs for them. The Government is not distributing any patches for them. The Government is only publicizing a security tool, written and reviewed by the country's best minds in information security, so that people will hopefully use it to secure their systems.
To answer your first two questions, the current Administration believes (as I do) that it is not in the proper role of Government to decide for other people what operating system they should or should not be using on their computers. The Government wishes to stay out of those almost-religious squabbles.
However, the Government IS demanding that Micro$oft fix its security problems. Did you not see the news item about the letter the Air Force's CIO sent to Micro$oft? (Look it up yourself, I don't have time)
The people that brought you Carnivore and Magic Lantern are to not be questioned when they give you a binary to run on your PC?
This may be difficult for you to grasp... but it's well-documented that the FBI does not want anyone knowing just what is in Carnivore and Magic Lantern. Therefore, it will be a cold day in Hell before they include either of those in a consensus-created tool that was reviewed by hundreds of security experts before it was released. They may be sinster, but they are not stupid.
My friend, Windows 2000 default tunneling procedure utilizes L2TP for tunneling and IPSec for encryption. What's the difference between MS IPSec and OpenBSD IPSec? Is not IPSec a standard?
To paraphrase a favorite American President, "That depends upon what the definition of 'standard' is."
Remember that M$ also claims that the W2K version of Kerberos is "standards-compliant," yet Kerberos will only work with Win2K machines if the KDC is on a W2K server!
And isn't L2TP only a "standard" if you're using Windows 2000 servers AND Cisco routers?
In the case of IPSec, the problem is that the maximum key length you can use in Win2K is 56 bits. That may or may not be adequate for your needs (it is certainly NOT adequate if you're a bank, defense contractor, or a member of dozens of other industries where trade secrets are worth Billions of $$$). 56-bit keys can now be cracked in about a day by a determined, well-financed adversary.
As I said in my original post, just be aware. It may or may not be an issue for you.
Since you mentioned Canada... [snip] Up here in the tundra our federal elections are run by a national agency (called, oddly enough "Elections Canada"). It makes things fairly uniform coast-to-coast [snip] Do I understand correctly that each county in Florida is responsible for the federal voting in their county, and they can conduct the voting however the heck they want to?
Thanks to the wonderful (NOT!) "education system" here in the States, most of our citizens are woefully uninformed about how our federal elections work. In the U.S., the People do NOT elect the President; the States elect the President.
The Founders intended a relatively weak Federal government that would be little more than a loose federation of sovereign States, where the real power lies. To prevent a State from getting out of control, each County within that State was to have its own independent election board.
The Founders had an enormous fear of any one person or entity gaining ultimate power over the entire country. The President and the Congress were to deal only with issues which were common to all States, or with issues which crossed state lines.
Abraham Lincoln, a Republican, changed all of that nearly 140 years ago. The US is now very close to the same sort of tyranny that the Founders were escaping when they declared their independence two-plus centuries ago.
But there's still hope. Though the Constitution is largely ignored, misunderstood or "re-interpreted", neither it nor the Electoral College has been formally abolished -- yet.
When are people going to wake up to the fact that republicans are trying to take away our liberties and rights?
When are people going to wake up and realize that it doesn't matter whether it's Democrites or Repugnicans who are in power, they're BOTH taking away rights and civil liberties?
Does anyone really believe that if Gore was president instead of Bush, that things would be any different? Gimme a break. Gore would have taken away the same liberties as Bush, with one exception:
Gore would have also taken away our guns.
And yes, I am a Libertarian. (Hello to Elias Israel!)
I cannot answer the other questions, but I can answer this one:
And specifically regarding your SSH question, it's not SSH but Windows Server supports Remote Access services via which you could set up a VPN and have a secure connection to the company servers.
Actually, you DON'T have a secure connection to your servers through Windows RAS. Micro$oft uses weak encryption in their VPN tunnels, and it's not that difficult to crack it.
To answer your question -- that, my friend, is what's wrong with Win2K server. What *I* would do is set up either a Cisco router or an OpenBSD server in front of it with an IPSec VPN, but I'm not you.
Good luck with your project, and may the Force be with you.
You might want to take the one-day class on securing Windows 2000 currently being run in various cities by the SANS Institute or you won't have to worry about having secure remote access to your server(s) -- someone else will.
It won't help to have the best encryption in the world securing your front door to a system that has 120 vulnerabilities in the default install!
It's true that the Bush Administration has made some amazingly
stupid blunders. However, this is not one of them and the large
volume of ignorant, knee-jerk remarks being made in this thread is
proof to me that slashdotters are just as capable of mindless FUD as
our favorite corporate punching bag.
I'm a security professional who happens to know three of the
people in the White House office of cybersecurity. All three have a
great deal more clue than anyone posting on this forum realizes.
Judging from the maturity level of the posts I've seen here, I think
it's safe to say that these gentlemen were securing computers when
most of you were running around in diapers.
Let's deal with some facts here. Please.
The default install of Windoze 2000 contains at least 120 known
vulnerabilities [source: SANS
Institute].
Many of us security professionals have had to deal with
Neanderthal bosses unwilling to allocate to us the time and/or people
to properly secure our connected systems.
So the best minds among us some in industry, some in academia
and some in Government have been working for the last couple
of years or so on a consensus standard that defines
minimum-acceptable and best-practices levels of security for various
operating systems (FWIW, the Unix document was finished a long time
ago). And yes, some of those best minds are working for the US
military, the FBI and the NSA.
With this standard in hand, and a tool to quickly and easily
evaluate our systems, many of us believe that we now have something
we can take to clueless bosses and say, THIS is the standard!
Are we going to meet it, or not?
Those of us in the security community believe that the US
government is the best vehicle for publishing and communicating these
standards. For one thing, Government agencies have been dragging their feet at
complying with Congress' demands that they secure their systems,
citing (among other things) the lack of a standard for secure
configuration.
But there is another, even more serious issue: millions of
clueless Americans connecting home PCs to the Internet through
high-bandwidth connections, oblivious to the collective danger that
millions of potential DDOS zombies pose to the nation's critical
infrastructure. I mentioned this to Dick Clarke (White House Chief
of Cybersecurity) last month in a meeting with him, and I for one am
damned glad to see that he's doing something about it. He's
basically taken the Windows 2000 security consensus document and
vulnerability scanner (which are finally ready) and taken it to the
masses.
Let's face it, we have people out there who couldn't get a clue if
they were standing in a field of clues during clue mating season
wearing clue musk, but if the President of the United States tells
them they need to secure their home computers to make America safe,
then they'll By God do it!
The idiotic anti-government paranoia I've seen expressed in
response to this is, frankly, highly inappropriate. Some of you need
to grow up and learn not to piss in the village's well.
First of all, I am a SANS alumnus, and I doubt that any better security education is available anywhere, for any price.
That said, my friend Ed Sawicki (alcpress.com) puts on some great classes that don't cost much, and once commented to me how expensive he considers SANS to be.
Even though I'm a SANS alumnus, I think Ed still has me beat hands-down for security knowledge. Take a look at his website, then write to him and tell him I said that he should start running some classes in security basics!
I speak with the voice of experience. Until recently, I was the network administrator in a similar situation... VERY similar.
Trust me, friend -- the only way to keep your sanity is to set up home directories for users on the file server, make regular backups of said home directories ("at" works nicely with Window$ operating systems) and make it known that you will NOT be responsible for ANY data on local hard drives!
You need to state the latter message often, because people not only forget, but new people coming in to the organization need to be made aware.
Frankly, the only proper way to do this is with a good, well-written policy -- and policy is not your responsibility, it's upper management's job. If you are in a place where upper management cannot be made interested in creating a policy (as I was) then you then need to do what I did: start looking for another job.
I'm really, really glad I'm no longer aboard that ship of fools....
This is a direct result of IBM's billion-dollar commitment to Linux last year, and Sherwin-Williams isn't the only one.
Just last week I participted in a rollout for Sears Optical (the little department inside of Sears stores that does eye exams and sells glasses, etc).
The hardware was IBM. The OS was Linux.
According to a friend-of-a-friend who is an IBM rep, IBM has already gotten their billion dollars back in increased sales, and is now ready to pump ANOTHER billion into Linux!
Politics surely does make strange bedfellows. Seems it was only a few years ago that we were calling IBM the 'evil empire' and now all of a sudden they're on our side.
Slashdot Mirror
One of the people at the White House Office of Cybersecurity told me an interesting story once.
About 2 years ago he was at a briefing of high mucky-mucks where Gates was pitching all of the Good Things (TM) that .NET was going to be.
My friend was in one of the front rows, not twenty feet from Gates. He knew that if he raised his hand, Gates couldn't ignore him. So he waited for a few reporters to ask their usual lame questions and then made his move: "Bill, how in the hell are you going to secure all of this?"
He says that Gates's eyes glassed over and his knuckles, where he'd been gripping the edges of the podium, turned white. He spent the next several minutes rambling about QOS -- yes, QOS was going to secure .NET!
There is more to this story that I wish I could tell. Suffice it to say that the White House cybersecurity people (including Howard Schmidt, who was recently vilified here) are not as stupid as slashdotters think they are. These men will never reveal in public their true opinion of Micro$oft, but they have spoken to me in private about it. They're not as far away from our opinions as you think.
You might think about doing a little bit of research before shooting your mouths off.
First of all, his name is Howard Schmidt, not George.
Secondly, while he did work for the Borg for a while, he was never assimilated. He was not very happy there.
Third, there is a real proposal on the table to give IP addresses to pacemakers. Considering the current level of security in networks, this should scare you. It certainly scares Howard.
So my earlier question stands, why not (a) use something else if it is so insecure or (b) demand Microsoft fix it. Why is it the US government's job to do a private company's job for them?
Let's see if I can explain this. I am going to type very slowly and use small words so that you can understand.
This is not the government doing a private company's job for them. The Government is not spending any money patching Micro$oft's bugs for them. The Government is not distributing any patches for them. The Government is only publicizing a security tool, written and reviewed by the country's best minds in information security, so that people will hopefully use it to secure their systems.
To answer your first two questions, the current Administration believes (as I do) that it is not in the proper role of Government to decide for other people what operating system they should or should not be using on their computers. The Government wishes to stay out of those almost-religious squabbles.
However, the Government IS demanding that Micro$oft fix its security problems. Did you not see the news item about the letter the Air Force's CIO sent to Micro$oft? (Look it up yourself, I don't have time)
The people that brought you Carnivore and Magic Lantern are to not be questioned when they give you a binary to run on your PC?
This may be difficult for you to grasp... but it's well-documented that the FBI does not want anyone knowing just what is in Carnivore and Magic Lantern. Therefore, it will be a cold day in Hell before they include either of those in a consensus-created tool that was reviewed by hundreds of security experts before it was released. They may be sinster, but they are not stupid.
My friend, Windows 2000 default tunneling procedure utilizes L2TP for tunneling and IPSec for encryption.
What's the difference between MS IPSec and OpenBSD IPSec? Is not IPSec a standard?
To paraphrase a favorite American President, "That depends upon what the definition of 'standard' is."
Remember that M$ also claims that the W2K version of Kerberos is "standards-compliant," yet Kerberos will only work with Win2K machines if the KDC is on a W2K server!
And isn't L2TP only a "standard" if you're using Windows 2000 servers AND Cisco routers?
In the case of IPSec, the problem is that the maximum key length you can use in Win2K is 56 bits. That may or may not be adequate for your needs (it is certainly NOT adequate if you're a bank, defense contractor, or a member of dozens of other industries where trade secrets are worth Billions of $$$). 56-bit keys can now be cracked in about a day by a determined, well-financed adversary.
As I said in my original post, just be aware. It may or may not be an issue for you.
Since you mentioned Canada... [snip] Up here in the tundra our federal elections are run by a national agency (called, oddly enough "Elections Canada"). It makes things fairly uniform coast-to-coast [snip] Do I understand correctly that each county in Florida is responsible for the federal voting in their county, and they can conduct the voting however the heck they want to?
Thanks to the wonderful (NOT!) "education system" here in the States, most of our citizens are woefully uninformed about how our federal elections work. In the U.S., the People do NOT elect the President; the States elect the President.
The Founders intended a relatively weak Federal government that would be little more than a loose federation of sovereign States, where the real power lies. To prevent a State from getting out of control, each County within that State was to have its own independent election board.
The Founders had an enormous fear of any one person or entity gaining ultimate power over the entire country. The President and the Congress were to deal only with issues which were common to all States, or with issues which crossed state lines.
Abraham Lincoln, a Republican, changed all of that nearly 140 years ago. The US is now very close to the same sort of tyranny that the Founders were escaping when they declared their independence two-plus centuries ago.
But there's still hope. Though the Constitution is largely ignored, misunderstood or "re-interpreted", neither it nor the Electoral College has been formally abolished -- yet.
When are people going to wake up to the fact that republicans are trying to take away our liberties and rights?
When are people going to wake up and realize that it doesn't matter whether it's Democrites or Repugnicans who are in power, they're BOTH taking away rights and civil liberties?
Does anyone really believe that if Gore was president instead of Bush, that things would be any different? Gimme a break. Gore would have taken away the same liberties as Bush, with one exception:
Gore would have also taken away our guns.
And yes, I am a Libertarian. (Hello to Elias Israel!)
Be aware that Micro$oft's implementation of IPSec uses weak encryption.
I cannot answer the other questions, but I can answer this one:
And specifically regarding your SSH question, it's not SSH but Windows Server supports Remote Access services via which you could set up a VPN and have a secure connection to the company servers.
Actually, you DON'T have a secure connection to your servers through Windows RAS. Micro$oft uses weak encryption in their VPN tunnels, and it's not that difficult to crack it.
To answer your question -- that, my friend, is what's wrong with Win2K server. What *I* would do is set up either a Cisco router or an OpenBSD server in front of it with an IPSec VPN, but I'm not you.
Good luck with your project, and may the Force be with you.
You might want to take the one-day class on securing Windows 2000 currently being run in various cities by the SANS Institute or you won't have to worry about having secure remote access to your server(s) -- someone else will.
It won't help to have the best encryption in the world securing your front door to a system that has 120 vulnerabilities in the default install!
It's true that the Bush Administration has made some amazingly stupid blunders. However, this is not one of them and the large volume of ignorant, knee-jerk remarks being made in this thread is proof to me that slashdotters are just as capable of mindless FUD as our favorite corporate punching bag.
I'm a security professional who happens to know three of the people in the White House office of cybersecurity. All three have a great deal more clue than anyone posting on this forum realizes. Judging from the maturity level of the posts I've seen here, I think it's safe to say that these gentlemen were securing computers when most of you were running around in diapers.
Let's deal with some facts here. Please.
The default install of Windoze 2000 contains at least 120 known vulnerabilities [source: SANS Institute].
Many of us security professionals have had to deal with Neanderthal bosses unwilling to allocate to us the time and/or people to properly secure our connected systems.
So the best minds among us some in industry, some in academia and some in Government have been working for the last couple of years or so on a consensus standard that defines minimum-acceptable and best-practices levels of security for various operating systems (FWIW, the Unix document was finished a long time ago). And yes, some of those best minds are working for the US military, the FBI and the NSA.
With this standard in hand, and a tool to quickly and easily evaluate our systems, many of us believe that we now have something we can take to clueless bosses and say, THIS is the standard! Are we going to meet it, or not?
Those of us in the security community believe that the US government is the best vehicle for publishing and communicating these standards. For one thing, Government agencies have been dragging their feet at complying with Congress' demands that they secure their systems, citing (among other things) the lack of a standard for secure configuration.
But there is another, even more serious issue: millions of clueless Americans connecting home PCs to the Internet through high-bandwidth connections, oblivious to the collective danger that millions of potential DDOS zombies pose to the nation's critical infrastructure. I mentioned this to Dick Clarke (White House Chief of Cybersecurity) last month in a meeting with him, and I for one am damned glad to see that he's doing something about it. He's basically taken the Windows 2000 security consensus document and vulnerability scanner (which are finally ready) and taken it to the masses.
Let's face it, we have people out there who couldn't get a clue if they were standing in a field of clues during clue mating season wearing clue musk, but if the President of the United States tells them they need to secure their home computers to make America safe, then they'll By God do it!
The idiotic anti-government paranoia I've seen expressed in response to this is, frankly, highly inappropriate. Some of you need to grow up and learn not to piss in the village's well.
First of all, I am a SANS alumnus, and I doubt that any better security education is available anywhere, for any price.
That said, my friend Ed Sawicki (alcpress.com) puts on some great classes that don't cost much, and once commented to me how expensive he considers SANS to be.
Even though I'm a SANS alumnus, I think Ed still has me beat hands-down for security knowledge. Take a look at his website, then write to him and tell him I said that he should start running some classes in security basics!
It's possible that he might be willing to do it.
[snip]
This is F***ing ridiculous. Go buy your OWN damn access and stop taking others' just because you can.
This is not ridiculous at all, since the United States' cybersecurity czar said that these idiots deserve their fate:
"If you spend more on coffee than on IT security, then you ... deserve to be hacked."
http://news.com.com/2100-1001-840335.html
I'm sorry, but these morons desperately need a wake-up call.
I'm a network administrator with two certifications, one in security, and I've been out of work for four months.
I speak with the voice of experience. Until recently, I was the network administrator in a similar situation ... VERY similar.
Trust me, friend -- the only way to keep your sanity is to set up home directories for users on the file server, make regular backups of said home directories ("at" works nicely with Window$ operating systems) and make it known that you will NOT be responsible for ANY data on local hard drives!
You need to state the latter message often, because people not only forget, but new people coming in to the organization need to be made aware.
Frankly, the only proper way to do this is with a good, well-written policy -- and policy is not your responsibility, it's upper management's job. If you are in a place where upper management cannot be made interested in creating a policy (as I was) then you then need to do what I did: start looking for another job.
I'm really, really glad I'm no longer aboard that ship of fools....
This is a direct result of IBM's billion-dollar commitment to Linux last year, and Sherwin-Williams isn't the only one.
Just last week I participted in a rollout for Sears Optical (the little department inside of Sears stores that does eye exams and sells glasses, etc).
The hardware was IBM. The OS was Linux.
According to a friend-of-a-friend who is an IBM rep, IBM has already gotten their billion dollars back in increased sales, and is now ready to pump ANOTHER billion into Linux!
Politics surely does make strange bedfellows. Seems it was only a few years ago that we were calling IBM the 'evil empire' and now all of a sudden they're on our side.
Sooo... if they actually needed it to do anything other than the computational equivalent of a nice picnic, they would gone for a "serious" OS?
Like Windows?
No. Like BSD.