Slashdot editors: I understand you need ads. I understand you need sponsors, but if you are going to post them, please mark them as paid content. Seriously. If you don't you will loose your core readership, and maybe you already are, but this isn't going to help things. Was Rob Malda the only person keeping this from happening? Yes, Slashdot readers have valuable eyeballs, but treat us with respect, otherwise you will loose us. One of the key reasons geeks still defend Google and Gmail is that they set a precedent for tasteful and obvious ads with Adwords. Please hold yourselves to the same standards.
Well I hope Mike D shuts them down because we all know that "like Ma 'Bell he's got the Ill Communication". Since you know he can't, and he won't and he don't stop.
I didn't realize that reversing IA-32 excutables was the modern meaning of cracking a code. I figured it would be difficult and possibly even rely on dictonary attack of a cryptographic hash, but IA-32 machine code? This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet than to attract people with cryptography, information theory, and signals backgrounds. I don't claim to be crypto expert (I've took an abstract algebra class that is a requirement for all cryptography classes at a university) but my first instinct was to assume that each byte was either an xor'd (as a first pass, to get it out of signed byte space) or residue of some modular division operation. When that didn't work I started analyzing the frequency of the bytes and map them to the letter frequency distribution for English. When I realized that most symbols only appeared once I gave up. If nothing else it was an excuse to brush up on my Python iterators.
I haven't looked at the video yet, because I still want to see how far I can get with just the spoilers in the comments.
The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?
"When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.
The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.
If one compares the industrial revolution with the so called "information age", we are somewhere in the early 1800's. The industrial revolution resulted from the experimentation of scientists with formal training and tinkerers with informal training. The information age is no different. During the first few decades of the information age, those who worked with computers were both scientists and engineers with formal training, as well as tinkerers with informal training.
After the foundation of the industrial revolution was laid, two professions emerged, the engineer who designed the machines, and the mechanic who maintained them. Some of the previous posts noted with dismay the similarities between blue collar workers and graduates of technology programs and certificate holders. Computer science and engineering is still barely older than 40 years old. Since the demand for programmers is still very large (even if the demand is being met in India), simple jobs are being delegated to programmers with training lacking theory. These are the mechanics of the information age and they have their place.
The "technician programmer", is on the same level as those technicians who obtain degrees in "engineering technology". The technician programmer is well suited for cranking out small system administration scripts, coding SQL, creating database front ends, and developing websites. Like machinists, they work with tools that are comparatively simple, and repetitive in nature. Occasionally, a complex problem requires a new method of applying the tool. A machinist can make engine parts, but can't design an engine in the same way a technician level programmer can create a database, but not the database engine.
Unfortunately, the tech schools try to convince both their graduates and businesses that technician programmers are able to do more than this. In the current economy, businesses would much rather pay a tech school graduate to customize an off the shelf solution, than an unemployed programmer trained as a scientist or engineer. However, there will always be jobs for systems programmers and software engineers, as long as someone is willing to pay for new ideas. The difference between the "technician programmer" and computer scientist and engineer needs to be recognized, just as the difference between the appliance repairman and the electrical engineer, and the mechanic and mechanical engineer is recognized.
We have not seen the true next generation of computers. Miniaturization and speed increases are the results of advancements in materials science and electrical engineering. Computer science and software engineering are still using ideas from the first generation of technology. The majority of computers (PC's) run a von Neumann architecture, with software written in languages that are procedural, even if support for classes and objects is included. Classes and objects simply create a method of abstraction to enable the problem to be approached in modular manner. Not that this is bad, but the models and techniques of computer programming are based on the limitations of hardware technology from the 1960's and 70's. The tradeoff between performance and ease of use are still issues in software engineering. The next generation of computers may eliminate the constraints of current methods, as well as introduce new constraints. It's all part of an ongoing process called technology. This is a good thing.
According to HP's website, "Fiorina holds a bachelor's degree in medieval history and philosophy from Stanford University". In my general experience, most people in these majors are there because they don't know their a** from a hole in the ground. (I'm majoring in computer engineering.) The bio goes on to state that she has two other masters in business. While most realize that a persons real skills and career can vary greatly from their undergraduate degree, it's pretty obvious in this case that this is one of the reasons why she has no handle or insight on the technology that drives her company and as a result is making terrible decisions. When are people going to realize that in order to manage (or as hp wants to "invent") technology you need to know something about it, because the only thing that one learns from a business degree is the business of business which is finance,
accounting and economics. That stuff can always make your paper work look pretty and attract investors but it doesn't sell good products or innovate.
Right now I'm using Slackware 3.5 for general desktop apps. However, I'm looking to switch to another distro which is more easily configurable, and has better package support. I've been comparing docs and flames from a lot of source and have determined IMHO that SuSE and Debian seem to be the most complete/stable distros out there (I don't like Redhat 5.1 from experience). I would like some _serious_ input as to the quirks/features of either of these systems especially in the areas of setup utilities, glibc2 support, and security. And yes I know that Yast isn't published under GPL and that really doen't matter to me. All I want is a reliable, loaded, desktop and ftp site on one machine. I know this is a lot to ask but it would really be helpful if you told me some real experiences instead of flaming distros.
Slashdot Mirror
Slashdot editors: I understand you need ads. I understand you need sponsors, but if you are going to post them, please mark them as paid content. Seriously. If you don't you will loose your core readership, and maybe you already are, but this isn't going to help things. Was Rob Malda the only person keeping this from happening? Yes, Slashdot readers have valuable eyeballs, but treat us with respect, otherwise you will loose us. One of the key reasons geeks still defend Google and Gmail is that they set a precedent for tasteful and obvious ads with Adwords. Please hold yourselves to the same standards.
Well I hope Mike D shuts them down because we all know that "like Ma 'Bell he's got the Ill Communication". Since you know he can't, and he won't and he don't stop.
I wish I knew what that would really mean...
I haven't looked at the video yet, because I still want to see how far I can get with just the spoilers in the comments.
Grr...now I'm mad I didn't recognize the byte swapped DEADBEEF.
I didn't realize that reversing IA-32 excutables was the modern meaning of cracking a code. I figured it would be difficult and possibly even rely on dictonary attack of a cryptographic hash, but IA-32 machine code? This sounds like they are more interested in recruiting people to analyze stuff like Stuxnet than to attract people with cryptography, information theory, and signals backgrounds. I don't claim to be crypto expert (I've took an abstract algebra class that is a requirement for all cryptography classes at a university) but my first instinct was to assume that each byte was either an xor'd (as a first pass, to get it out of signed byte space) or residue of some modular division operation. When that didn't work I started analyzing the frequency of the bytes and map them to the letter frequency distribution for English. When I realized that most symbols only appeared once I gave up. If nothing else it was an excuse to brush up on my Python iterators.
I haven't looked at the video yet, because I still want to see how far I can get with just the spoilers in the comments.
There are two problems with your question.
The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?
"When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.
The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.
If one compares the industrial revolution with the so called "information age", we are somewhere in the early 1800's. The industrial revolution resulted from the experimentation of scientists with formal training and tinkerers with informal training. The information age is no different. During the first few decades of the information age, those who worked with computers were both scientists and engineers with formal training, as well as tinkerers with informal training.
After the foundation of the industrial revolution was laid, two professions emerged, the engineer who designed the machines, and the mechanic who maintained them. Some of the previous posts noted with dismay the similarities between blue collar workers and graduates of technology programs and certificate holders. Computer science and engineering is still barely older than 40 years old. Since the demand for programmers is still very large (even if the demand is being met in India), simple jobs are being delegated to programmers with training lacking theory. These are the mechanics of the information age and they have their place.
The "technician programmer", is on the same level as those technicians who obtain degrees in "engineering technology". The technician programmer is well suited for cranking out small system administration scripts, coding SQL, creating database front ends, and developing websites. Like machinists, they work with tools that are comparatively simple, and repetitive in nature. Occasionally, a complex problem requires a new method of applying the tool. A machinist can make engine parts, but can't design an engine in the same way a technician level programmer can create a database, but not the database engine.
Unfortunately, the tech schools try to convince both their graduates and businesses that technician programmers are able to do more than this. In the current economy, businesses would much rather pay a tech school graduate to customize an off the shelf solution, than an unemployed programmer trained as a scientist or engineer. However, there will always be jobs for systems programmers and software engineers, as long as someone is willing to pay for new ideas. The difference between the "technician programmer" and computer scientist and engineer needs to be recognized, just as the difference between the appliance repairman and the electrical engineer, and the mechanic and mechanical engineer is recognized.
We have not seen the true next generation of computers. Miniaturization and speed increases are the results of advancements in materials science and electrical engineering. Computer science and software engineering are still using ideas from the first generation of technology. The majority of computers (PC's) run a von Neumann architecture, with software written in languages that are procedural, even if support for classes and objects is included. Classes and objects simply create a method of abstraction to enable the problem to be approached in modular manner. Not that this is bad, but the models and techniques of computer programming are based on the limitations of hardware technology from the 1960's and 70's. The tradeoff between performance and ease of use are still issues in software engineering. The next generation of computers may eliminate the constraints of current methods, as well as introduce new constraints. It's all part of an ongoing process called technology. This is a good thing.
According to HP's website, "Fiorina holds a bachelor's degree in medieval history and philosophy from Stanford University". In my general experience, most people in these majors are there because they don't know their a** from a hole in the ground. (I'm majoring in computer engineering.) The bio goes on to state that she has two other masters in business. While most realize that a persons real skills and career can vary greatly from their undergraduate degree, it's pretty obvious in this case that this is one of the reasons why she has no handle or insight on the technology that drives her company and as a result is making terrible decisions. When are people going to realize that in order to manage (or as hp wants to "invent") technology you need to know something about it, because the only thing that one learns from a business degree is the business of business which is finance,
accounting and economics. That stuff can always make your paper work look pretty and attract investors but it doesn't sell good products or innovate.
Right now I'm using Slackware 3.5 for general desktop apps. However, I'm looking to switch to another distro which is more easily configurable, and has better package support. I've been comparing docs and flames from a lot of source and have determined IMHO that SuSE and Debian seem to be the most complete/stable distros out there (I don't like Redhat 5.1 from experience). I would like some _serious_ input as to the quirks/features of either of these systems especially in the areas of setup utilities, glibc2 support, and security. And yes I know that Yast isn't published under GPL and that really doen't matter to me. All I want is a reliable, loaded, desktop and ftp site on one machine. I know this is a lot to ask but it would really be helpful if you told me some real experiences instead of flaming distros.
Thanks