Correction... Karl Rove is, of course, Deputy Chief of Staff (not the full Chief). Nonetheless, the similarities between the administrations continue to stack up.
I find it quite bemusing that Fox News says there hasn't been a Chief of Staff like Karl Rove since Harry Haldeman, Nixon's Chief of Staff.
I am sure I am revealing my opinion of the Bush administration/Presidency somewhat, but its one heck of a coincidence that arguably the two most corrupted Presidency's of the United States 20th/21st centuries have the two most similar Chiefs of Staff.
***** ATTENTION AUSTRALIAN ISPs: ***** You're service can be used to access child pornography via the use of the NNTP, HTTP, HTTPS, FTP, P2P and many other protocols.
So now that all the ISPs are aware they have to report it to the police.
The ISPs however will not want to report this to the police, because whilst the police have to do the tracking down the ISPs will have to dig up access logs for them, caches and cache logs, install network sniffers and do all sorts of time consuming things that will scare off customers as well.
I think the best response to this legislation is for -all- ISPs to report themselves on 1 March 2005 and completely overwhelm the police such that they just abandon it as more garbage legislation.
(please note this posting is based on the refered posting, and not on a reading of the law itself.)
If someone had the time, and investigative knack we could probably work out who they are going to sue, or at least who the handful of companies are.
They say they are going to sue a user who is an International top 1000 company.
So we have our first sub-set of all companies.
Next we ask who of these is likely using Linux. Some industries are less likely than others to have wholesale roleouts of Linux. I am thinking it may be a telecommunications company they are targetting. So our set of targets is now smaller again.
Next, we ask who is it that would fit all of these criteria and would be within a jurisdiction that SCO could sue them in. i.e. It won't be Deutsche Telecom, or Siemens (or any other German company). So now we are talking about U.S. companies as most likely.
I think with this in hand that list of top 1000 international companies has to be down to a handfull by now.
Anyone care to flesh this out with some real investigations?
Whilst all of this is based on the 'what if' principle, an organisation's environment does not have to be 'connected' to the Internet to be affected by a vulnerability.
I have worked with many organisations who are suffering from an internal worm problem on a network that is not connected to the Internet. There first question is typically, "How could this have happened?". My usual first response is, "Have you had any consultants in recently?"
For a worm that originates on the Internet to make it on to an non-Internet connected network all you need is one mobile device, or one transported piece of media, or one consultant with a notebook that was on their Internet connection, and is then connected to the control system network at a power plant. Despite this obviusly being wrong, it does happen.
Backups provide an additional layer of protection, through the ability to recover. But they do not guarantee protection. It is possible for a worm/virus to be installed and lie dormant/undetected for a long period of time, should the programmer decide. As such a worm may become active, and then also exist within the backup set.
I think a dramatic incident is on the forseeable horizon. For much of the economy today all it would take is a worm to shut down the Internet (en-mass DDoS), with so many organisation relying on the Internet as a core business tool.
A worm pervasive enough to clog a good chunk of the Internet would also likely clog corporate networks as well. Imaging, if you will, a worm virulent enough that it does clog core Internet infrastructure. How will the AV vendors distribute those updated signatures, or how will the OS vendors distribute those patches if their customers can't access their web servers(etc..)?
The key thing to keep in mind is that all systems we have to date have some ability to be undermined. The day is coming when somebody makes a concerted effort to learn from all that has been achieved to date, invests enough time in analysing what other process/technology/system weaknesses exist, and uses an understanding of human psychology to develop a worm that will use a vulnerability in an OS (that is slow to be patched), that spreads quickly, and creates large enough volumes of traffic and FUD amongst the corporate world. Then thngs will get more exciting.
Having said all of this, the thing the White Hats need to be doing is planning, liasing, developing strategies and tools to combat scenarios as we can predict them. This will happen, and this will make things better. But how much better we will never know until it happens.
If I turn my head sideways and wave my fingers in front of my face I can read Slashdot in 3D!
Wow! Now thats worth paying for!
Password management
on
Real Security?
·
· Score: 4, Informative
I recently read a document proposing an alternative approach to an aspect of password management. I have since adopted this approach.
The paper said that one of the biggest threats to password security was the frequency that changes were required.
It seems that a fairly accepted norm is coming in to being in the form of organisations requiring their users to role their passwords once per month, and requiring that these passwords are unique. The problem with this requirement is that people are asked to remember so many passwords that they are tempted to either use weak passwords, or to write them down and stick them to something. Hence the previously secure password is now compromised.
The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter). As a result in any year they have to get to know only 4 passwords (instead of 12), and as such can handle better quality passwords more easily.
My users are far more happy with this approach, and now see it as a reasonable compromise. As such they now buy-in to the concept and we find far fewer people breaching the password policy.
The key question I have coming from this acquisition is: What affect will this have on Sun's MadHatter project?
Given Sun was basing MadHatter on, from my understanding, the SuSE Linux ditribution, will Novell honor any existing formal arrangements between Sun and SuSE, will Sun want to continue developing a solution that feeds content back in to the now Novell owned distribution?
It seems Novell may have just won a -very- significant victory against Sun (both companies are looking to produce alternatives to Microsoft on the desktop/workstation, both were looking to use SuSE, Novell now owns SuSE and hence can shut out Sun).
While I can't dispute your logic, I do feel it is based on a fundamental flaw. That is to equate knowledge with intelligence.
Knowledge is something gained with experience and time, intelligence is your ability to gain and interpret that knowledge.
Theoretical intelligence capabilities are all fine and good, but the prooven data we have is that there are things in the universe with no intelligence, and the species that is closest to infinate intelligence is human.
I do agree that there is likely to be a more intelligent species out there, but I think we can all accept that the majority of life out there is going to be less intelligent.
There is a theory that says the chances of discovering intelligent life approaches 1 the less intelligent they get, and approaches 0 the more intelligent they get, when compared to humans.
That is to say it is guaranteed that life exists with no intelligence, and is guaranteed that life does -not- exist with infinate intelligence
All life is on a scale somewhere between no intelligence and infinate intelligence. Hence the odds are that if/when we find extra terrestrial life they will, in fact, be less intelligent.
Scientists and Engineers working in the area of prosthetic limbs have been dealing with the issue of controlling motorised limbs, without buttons (etc...) for a while now.
Why not go to your local hospital and talk about adapting some of this technology to monitor nerve endings along the arm, and/or legs (etc..)?
Using this method she could not only ring alarms, but with sufficient practise and a voice replication system, start stringing together whole sentences.
Australian's don't have a right to free speach in the constitution, but from my understanding, and I may be incorrect here, Australian's do have the right to free trade in the constitution. Doesn't telling Australian banks not to honor overseas transactions becuase they come from casinos breach this constitutional right?
Also, if an overseas casino just labels its transactions as from Bob's Fishmarket then how does the bank know, and are they liable under the legislation if they didn't know it was a casino?
Someone kind of elluded to this but MY GOD are your security procedures busted!
Point 1./ Why do you allow TELNET in to your routing/switching equipment from the outisde world? If a CISCO tech' with the password can do it then a hacker without the password likely can too.
Point 2./ If you are connected to the Internet in any way NEVER replace your firewall with a cross over cable. Basically at that stage you have your pants around your ankles, are bent over, with a big "Do Me Now!!!!!" sign on your butt!
The organisation I work for solved this very simply. The majority of "viruses" we see these days are in fact worms that exploit faults in peoples email software. The way we solved this was to BAN Microsoft Outlook (or Outlook Express), and its variations. By switching to Netscape as the SOA mail handler we ensured that all attachments that were sent provided all of their information (rather than disguising themselves as something else), and that they were not auto executed.
I find this statement to be hilarious, especially given the fact that the grass-roots economy of the US is based entirely on bribery.
The various service industries of the US work on an employment policy of paying minimum wage and employees increasing their pay packet via the gaining of "tips". A tip is given by a consumer with the distinct purpose of rewarding the service provider for good service. Thus the prospect of getting a good tip encourages the service provider to give better service.
What this essentially means is that the receiver of services will give money to the giver of services to get them to serve the receiver better. In other words the receiver BRIBES the giver to get better service.
Hence for the US to spy on other companies from other countries and then justifying this by proclaiming them to be centers of bribery and corruption is unbelievably hypocritical.
But then again since when did the US government ever expect anything less than "do what I say and not what I do"???
I do now wonder how long it will be until it is legislated as being illegal to place technology into your network that prevents access by ASIO to desired information. What will be the outcome is ASIO decides to go after information on your network on which you have an ultra secure firewall and encryption technologies running. Will some charge be trumped up to get a judge to order you to remove your protection and thus open you up to not only ASIO but any others as well.
Slashdot Mirror
Correction... Karl Rove is, of course, Deputy Chief of Staff (not the full Chief). Nonetheless, the similarities between the administrations continue to stack up.
I find it quite bemusing that Fox News says there hasn't been a Chief of Staff like Karl Rove since Harry Haldeman, Nixon's Chief of Staff.
I am sure I am revealing my opinion of the Bush administration/Presidency somewhat, but its one heck of a coincidence that arguably the two most corrupted Presidency's of the United States 20th/21st centuries have the two most similar Chiefs of Staff.
I think it's entirely appropriate to consult a womens group on the disposal of toxic waste.
After all, when they're at home doing what they should be, they deal with toxic waste all the time.
(Yes, I know it's sexist. That's the whole joke of the post dummy!)
You're service can be used to access child pornography via the use of the NNTP, HTTP, HTTPS, FTP, P2P and many other protocols.
So now that all the ISPs are aware they have to report it to the police.
The ISPs however will not want to report this to the police, because whilst the police have to do the tracking down the ISPs will have to dig up access logs for them, caches and cache logs, install network sniffers and do all sorts of time consuming things that will scare off customers as well.
I think the best response to this legislation is for -all- ISPs to report themselves on 1 March 2005 and completely overwhelm the police such that they just abandon it as more garbage legislation.
(please note this posting is based on the refered posting, and not on a reading of the law itself.)
If someone had the time, and investigative knack we could probably work out who they are going to sue, or at least who the handful of companies are.
They say they are going to sue a user who is an International top 1000 company.
So we have our first sub-set of all companies.
Next we ask who of these is likely using Linux. Some industries are less likely than others to have wholesale roleouts of Linux. I am thinking it may be a telecommunications company they are targetting. So our set of targets is now smaller again.
Next, we ask who is it that would fit all of these criteria and would be within a jurisdiction that SCO could sue them in. i.e. It won't be Deutsche Telecom, or Siemens (or any other German company). So now we are talking about U.S. companies as most likely.
I think with this in hand that list of top 1000 international companies has to be down to a handfull by now.
Anyone care to flesh this out with some real investigations?
Whilst all of this is based on the 'what if' principle, an organisation's environment does not have to be 'connected' to the Internet to be affected by a vulnerability.
I have worked with many organisations who are suffering from an internal worm problem on a network that is not connected to the Internet. There first question is typically, "How could this have happened?". My usual first response is, "Have you had any consultants in recently?"
For a worm that originates on the Internet to make it on to an non-Internet connected network all you need is one mobile device, or one transported piece of media, or one consultant with a notebook that was on their Internet connection, and is then connected to the control system network at a power plant. Despite this obviusly being wrong, it does happen.
Backups provide an additional layer of protection, through the ability to recover. But they do not guarantee protection. It is possible for a worm/virus to be installed and lie dormant/undetected for a long period of time, should the programmer decide. As such a worm may become active, and then also exist within the backup set.
I think a dramatic incident is on the forseeable horizon. For much of the economy today all it would take is a worm to shut down the Internet (en-mass DDoS), with so many organisation relying on the Internet as a core business tool.
A worm pervasive enough to clog a good chunk of the Internet would also likely clog corporate networks as well. Imaging, if you will, a worm virulent enough that it does clog core Internet infrastructure. How will the AV vendors distribute those updated signatures, or how will the OS vendors distribute those patches if their customers can't access their web servers(etc..)?
The key thing to keep in mind is that all systems we have to date have some ability to be undermined. The day is coming when somebody makes a concerted effort to learn from all that has been achieved to date, invests enough time in analysing what other process/technology/system weaknesses exist, and uses an understanding of human psychology to develop a worm that will use a vulnerability in an OS (that is slow to be patched), that spreads quickly, and creates large enough volumes of traffic and FUD amongst the corporate world. Then thngs will get more exciting.
Having said all of this, the thing the White Hats need to be doing is planning, liasing, developing strategies and tools to combat scenarios as we can predict them. This will happen, and this will make things better. But how much better we will never know until it happens.
Hey...
If I turn my head sideways and wave my fingers in front of my face I can read Slashdot in 3D!
Wow! Now thats worth paying for!
I recently read a document proposing an alternative approach to an aspect of password management. I have since adopted this approach.
The paper said that one of the biggest threats to password security was the frequency that changes were required.
It seems that a fairly accepted norm is coming in to being in the form of organisations requiring their users to role their passwords once per month, and requiring that these passwords are unique. The problem with this requirement is that people are asked to remember so many passwords that they are tempted to either use weak passwords, or to write them down and stick them to something. Hence the previously secure password is now compromised.
The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter). As a result in any year they have to get to know only 4 passwords (instead of 12), and as such can handle better quality passwords more easily.
My users are far more happy with this approach, and now see it as a reasonable compromise. As such they now buy-in to the concept and we find far fewer people breaching the password policy.
The key question I have coming from this acquisition is:
What affect will this have on Sun's MadHatter project?
Given Sun was basing MadHatter on, from my understanding, the SuSE Linux ditribution, will Novell honor any existing formal arrangements between Sun and SuSE, will Sun want to continue developing a solution that feeds content back in to the now Novell owned distribution?
It seems Novell may have just won a -very- significant victory against Sun (both companies are looking to produce alternatives to Microsoft on the desktop/workstation, both were looking to use SuSE, Novell now owns SuSE and hence can shut out Sun).
This is sure to be the next Amazon.com patent: US-Patent 20030722.47blahblahblah "Ability to search bodies of published texts using RFC 2549".
While I can't dispute your logic, I do feel it is based on a fundamental flaw. That is to equate knowledge with intelligence.
Knowledge is something gained with experience and time, intelligence is your ability to gain and interpret that knowledge.
Theoretical intelligence capabilities are all fine and good, but the prooven data we have is that there are things in the universe with no intelligence, and the species that is closest to infinate intelligence is human.
I do agree that there is likely to be a more intelligent species out there, but I think we can all accept that the majority of life out there is going to be less intelligent.
There is a theory that says the chances of discovering intelligent life approaches 1 the less intelligent they get, and approaches 0 the more intelligent they get, when compared to humans.
That is to say it is guaranteed that life exists with no intelligence, and is guaranteed that life does -not- exist with infinate intelligence
All life is on a scale somewhere between no intelligence and infinate intelligence. Hence the odds are that if/when we find extra terrestrial life they will, in fact, be less intelligent.
Of course this gene spread like wildfire through the human species.
What would you respond better to? "Ung o-o, urggh, blarg, gooAh?" or "Hey sexy, whats a fine thing like you doing in a swamp like this?"
Scientists and Engineers working in the area of prosthetic limbs have been dealing with the issue of controlling motorised limbs, without buttons (etc...) for a while now.
Why not go to your local hospital and talk about adapting some of this technology to monitor nerve endings along the arm, and/or legs (etc..)?
Using this method she could not only ring alarms, but with sufficient practise and a voice replication system, start stringing together whole sentences.
Australian's don't have a right to free speach in the constitution, but from my understanding, and I may be incorrect here, Australian's do have the right to free trade in the constitution. Doesn't telling Australian banks not to honor overseas transactions becuase they come from casinos breach this constitutional right?
Also, if an overseas casino just labels its transactions as from Bob's Fishmarket then how does the bank know, and are they liable under the legislation if they didn't know it was a casino?
Someone kind of elluded to this but MY GOD are your security procedures busted!
Point 1./ Why do you allow TELNET in to your routing/switching equipment from the outisde world? If a CISCO tech' with the password can do it then a hacker without the password likely can too.
Point 2./ If you are connected to the Internet in any way NEVER replace your firewall with a cross over cable. Basically at that stage you have your pants around your ankles, are bent over, with a big "Do Me Now!!!!!" sign on your butt!
The organisation I work for solved this very simply. The majority of "viruses" we see these days are in fact worms that exploit faults in peoples email software. The way we solved this was to BAN Microsoft Outlook (or Outlook Express), and its variations. By switching to Netscape as the SOA mail handler we ensured that all attachments that were sent provided all of their information (rather than disguising themselves as something else), and that they were not auto executed.
I find this statement to be hilarious, especially given the fact that the grass-roots economy of the US is based entirely on bribery.
The various service industries of the US work on an employment policy of paying minimum wage and employees increasing their pay packet via the gaining of "tips". A tip is given by a consumer with the distinct purpose of rewarding the service provider for good service. Thus the prospect of getting a good tip encourages the service provider to give better service.
What this essentially means is that the receiver of services will give money to the giver of services to get them to serve the receiver better. In other words the receiver BRIBES the giver to get better service.
Hence for the US to spy on other companies from other countries and then justifying this by proclaiming them to be centers of bribery and corruption is unbelievably hypocritical.
But then again since when did the US government ever expect anything less than "do what I say and not what I do"???
I do now wonder how long it will be until it is legislated as being illegal to place technology into your network that prevents access by ASIO to desired information.
What will be the outcome is ASIO decides to go after information on your network on which you have an ultra secure firewall and encryption technologies running. Will some charge be trumped up to get a judge to order you to remove your protection and thus open you up to not only ASIO but any others as well.