Somehow I think this story was mentioned purely so people could bitch about how the web page is designed, and more to the point how much it sucks becuase their browser can't view it correctly.
Large ISPs should consider doing this on all of their RAS equipment first and foremost. As has been previously stated in this thread, there are legitimate reasons not to do this on all border routers.
However, in my opinion, there are two real culprits to this problem.
Major router vendors are the primary culprit. This option should be on by default on all routers, and require a configuration change to be turned off. If it isn't turned off then every network you route to the outside world is automatically allowed to pass through. If it is turned off, then you just made a concience decision to run in a less secure environment - possibly a very legitimate decision, possibly not.
The secondary culprit, is the lack of concise and well written AUPs that are truly enforced. Ahhh if only it were legal and enforcable to have an AUP that said simply, "We allow no bullshit. And we decide what the bullshit is." But it isn't so write one that works.
Personally, if I were a DSL/Cable provider just starting up, I'd invest heavily in a bunch of decent NID systems and allow the traffic through. My AUP would state that you pay me first and last months DSL rent regardless of whether you are getting service, if you break my AUP. I'm sure all the mommies and daddies out there would be thrilled to find they have no Internet after the NID system found spoofed packets coming from juniors CPU.
1. Gather your information. 2. Backup your logs. 3. When satisified with logs, and initial investigation, blackhole them at your perimeter. 4. Call your upstream, request blackhole at ingress point. 5. Begin tracking from logs and if your site is high profile enough tracking from all points up the line.
Invest in an opensource honeypot machine. Invest manpower in your choice of NID software.
Choose to take the high road. Customers will understand a downtime due to something like this. Customers won't understand that you decided to attack back at some ISP that didn't have a clue how to manage their machines.
Sure it may seem satisfying at the time to root an attackers server, but guess what... with almost 100% probability the hacker in question does not own that machine. And the person who does probably won't be thrilled that you just rooted his box. Same goes for a DoS retaliation. In these days of misconfigured proxies, IPv4 vulnerabilites, and weak TCP/IP stacks - the chances that you are actually hitting back at the right network are next to nil.
And to sum it all up... Even if you knew with 100% accuracy where the attack was coming from - what kind of moron would you have to be to decide to reverse attack instead of taking legal action against that network?
(Now if you work for some military or federal government agency and this is some suspected foreign power you are being attacked by... well... - disregard I guess.)
You don't really talk a whole lot about where and for what you are using the NFS box for. How is linux's NFS working for you?
All I've ever heard were horror stories about its poor implementation. Water under the bridge? Righty right?
I assume your sharing static content and image serving using the NFS shares. Perhaps you've even gone so far as to utilize qmail or the sendmail/procmail NFS mail hack in order to store your email on the NFS share?
What shyed you away from the Linux Virtual Server Project's implementation of load balancing? Or the mon+hearbeat+fake+coda solution for HA? Or is your "Oddessey" work based on this in any way?
Are you loadbalancing your firewalling BSD box? Or have we reached a critical point of failure at the firewall?
Very interesting stuff, I'd like to know more details though.
of asking you a question. Your creation sparked my involvment in computers, and more specifically at the time - the computer underground.
1. When computing was young, and the technology far surpassed the laws restricting its use - hacking (cracking) and phreaking were the tools of teaching to many youngsters who simply didn't have access to the latest and greatest hardware. In your opinion - are todays computer missuse and tresspass laws to strict or lax in the U.S.?
2. Rumor (heh) has it that you built and Steve Jobs sold blue boxes when you were both in college together. The AppleCat modem was by far the most powerful modem ever sold, and remained so for many years after its release. Programs like Cat's Meow revolutionized the world of phreaking at the time. How aware were you of the missuse(?) of the AppleCat modem in regard to phreaking?
3. Did you ever hang out with Capt. Crunch? Did he really lose his mind after his stint in prison?
Someone forwarded this link to me late last night. Doesn't look like its supposed to be public, but then... why post it on the net? http://the.whole.net/~pheh/os9dumper.html
I'm not sure when I became Pro-MS. A yahoo maybe, but I draw the line at being called Pro-MS. It seems to me that many people consistantly think of the reference to Atlas shrugging (and no I'm not the only one to ever use it) as one man, one company. Well guess what - in just the same vein that all Microsoft developers (thos who develop software for MS) could be Atlas, so too could the entire Open Source movement.
I am consitently amazed at the venom, wrath, and blinded single mindedness that the mere mention of Microsoft or Bill Gates brings about in the majority of Slashdot readers. While it is true my reference was vauge - I honestly expected SOMEONE to get it correctly. In retrospect - I suppose I'm glad I got to see the other side instead.
-sarcasm- Oh, and your right. Bill Gates and crew don't sweat for a living - Or create anything of any worth. Hell lets ban all their trademarks and copyrights while were at it! All they did was buy them all anyway right!? Power to the people! -end sarcasm-
Quite the contrary. It will be their developers. Just as Atlas isn't always a he. It (the concept) doesn't always represent those directly connected to the company. Atlas shrugging in this instance could just as easily be all the Windows NT developers out there developing for Microsoft suddenly developing for Linux.
I'm just sitting here trying to figure out why you reply which stated: "I couldn't have said it better." ended up with a score of 2 - While my original post is still sitting at one. Sounds like a conspiracy to keep me down.
The hippies are trying to keep me down! Help! Help! I'm being opressed!
Microsoft up to its old tricks? Has Slashdot finally sunk to such depths that it needs to create bogus headlines like these?
Please name me one operating system that has to, and in many cases succeeds in inter-operating with so many other systems. The weight that Microsoft carries and the scrutiny under which it carries that weight should be a warning to everyone who wants them out of the way.
Asinine headlines like this one from "Roblimo" only have a place with the rest of the quacks looking for "the smoking man" and UFOs. Because you are making the rest of us look like those quacks when you post that garbage here.
Here is to hoping that Atlas shrugs.
(And take note this post was written in Netscape, under Linux 2.3.x)
You know what the perfect twist to this media driven saga would be?
To have JP, KW, and BM hold a press conference calling the media thier toys - proclaiming the whole ordeal a 'hoax'.
It truly is a shame to see (respectable?) publications like NYT, and Forbes even giving a shit about the pointless squables of a couple web site operators. Who gives a crap? The only thing that ever bothered me was the "computer security expert" moniker that JP ended up with, when I have seen no worthwhile work to back up such a title.
Such is life in the digital age I suppose. Just look at all the publications quoting Slashdot posts like this one.
Why is it I hear the whining of scared little children calling to their mommies and daddies to help them feel safe again?
Truste didn't work? Fine, so be it. This doesn't mean I need mommy and daddy to make me feel safe again in this cold cruel world. Grow up! If privacy is a concern to you, change your habits. Truste failed? Then it will pay. It will become more and more meaningless to people. It will wither and die. From its compost something new will arise which may work better, thus evolution continues.
If there is a market for internet privacy authentication services then it will be filled. Uncle scam can keep his privacy laws and efforts where they are needed, the regulating of himself.
Someone over at IDG needs to tighten up the reigns on its legal team a bit.
When pinheaded lawyers simply cruise the web for trademarks looking for people to sue its a good bet the president of the company needs to buy "Managing for Dummies".
When there aren't checks and bounds on emails such as this sent out of a company the size of IDG its a good bet that someone in the company needs to read "Setting Standard Operating Procedures for Dummies".
When IDG fails to appologize for the obvious faux pax its a good bet thier public relations department needs to read "Eating crow for Dummies".
And in case my spelling is at its usual worst, you can bet our bottom dollar that I haven't read "Spelling for Dummies".
I am pleased you included the 'if' in your initial sentence. Being a part of the Slashdot community I most certainly do not think it consists either soley or primarily of any of the above. I do, however, think that a large percentage of the anti-harvard rehtoric was coming from exactly that stew of people you mentioned.
Exactly what community and its view was I representing in any of my posts? I was speaking soley for myself, using "I" almost everywhere. I am quite comfortable in the real world though not always happy to be a part of it. The people that seem to be unable to grasp the concept of the real world are those that are arguing the injustice of doing the "right thing" (legally, socially, and politically vs. doing the "right thing" morally, heartfelt, utopianly.
Yes, Harvard cares very little about what the Slashdot community has to say. We are talking about a learning institution with a history that dwarfs even that of computers in general. Never did I say they shouldn't give a rats-rear-end about what Slashdot readers have to say, simply that they don't.
1) Intelligent people will support Harvard, ergo anyone criticizing their action must be intelligence challenged(tm).
Reply: Yes. But. Never did I say they would "support" Harvard. Not finding fault in something is not the same as supporting it. I'll even give you an anology to play with: "I can't fault the chicken for crossing the road, but its certainly not an action I would support." - I'll even give you a more relevent one - "I wouldn't fault Packet Storm's admin for posting his opinions of antionline's admin, but if I were hosting his box and recieved a letter like that, and had a familly to care for, its certainly not an opinion I would be able to support."
2) Censoring isn't very "Harvard", so rather than "censor" by requesting the removial of controversial materials, it is somehow more ethical and less "censorous" to go off half-cocked and delete EVERYTHING the site offered with no due process
You really think Harvard gives a rats-rear-end about the public criticisms from Slashdot readers and the 'haqer' community? You seem to think you wield a lot more power behind your keyboard than I think you do.
3) What harvard did was right. It was OK for them to spew FUD (untruths) because they needed "time."
Welcome to the real world. It isn't a pretty place and it hasn't been for as long as I've been alive. Harvard did what needed to be done at the time, yes.
If I understand your arguments correctly, burning entire libraries and spreading FUD about the personal lives and actions of the libraries is OK, even noble, as to do anything less (like lock up an objectionable book) would be "censorship." Anyone objecting to the burning of said libraries would clearly be stupid, as any intelligent person in the security community would support burning the entire library over the censorship the removal of one controversial book would imply. Interesting definitions.
A - The library wasn't burned. It was simply closed. Even if they did indeed 'rm -rf/*' there was a backup. So your analogy is mute. This is a poor analogy at best. How about if I give you a better one that I do agree with and is reasonable:
"If I open a private library with an office complex from which I lease free space (lets just say I pay a dollar a month), I go into that relationship knowing that at any day I could be kicked out of that space. But lets take it a step further, you see at this library you can only check out books on terrorism. How to stop terrorism, how to start terrorism, terrorism-terrorism-terrorism. But in one section of my "library" I have nothing but deragatory comments about Jesse Helms. Corresopondence with him are posted, what I think about him is posted, deflamatory pictures of him are posted on all the walls in the section of my "library".
Does the lessor have the "OK" to kick me out of my "library"?
Harvard took the site down because it became to controversial for them to take the time to deal with. They were doing the security community a favor and the intelligent people in the community would never fault Harvard for doing what it felt had to be done at the time.
Sure, they would be praised if they had simply contacted Packet Storms admin and told him that the offensive material would have to go or they would be forced to shut down the site. But then they would have become censors. Censoring content just doesn't seem very Harvard to me.
What they did was right. The actions they took, and the preliminary FUD they spewed merely gave them the time they needed to weigh thier options, without bringing about the wild accusations and rumors that would have flown in the face of silence.
Speaking as a network security manager for a 10k user network and a former vicitim of hacking attempts and successes, I agree.
However, speaking as a user, and having bosses that want functionality first and security second, I feel I can safely back up my claim that the general populace want security second. I don't care how secure it can be, if its difficult to use it won't be used or it will be used improperly. I am constantly arguing the benifits of an application level (proxy) firewall over a circuit (packet filter) based firewall. Its a lost cause, the monitary benifit will almost always outweigh your perceived gain in security.
This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.
Yikes! Now that is a scary notion. Microsoft, Sun, SGI, HP, Red Hat, etc... all fail at this. Even relying on Bug Traq and the like for your security measures is only a secondary response to a primary issue. If someone is good enough, they will get in. And a distribution like this will give people like yourself a false sense of security. You do what you can, where you can, when you can. And you keep doing it over and over. You build application architectures as securely as you can, and then limit access to those applications to only the people who need the access. Then you stick in your safe guards against those who would attempt to thwart those restrictions. A generic rule of thumb at best, yes.
In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.
How large a network do you work in? Did you build the network yourself or did you have to take it over? How large is your security team? Maybe you know something fundemental that I don't. Security isn't as easy, and when you talk to the bean counters, if the possible loss isn't high enough then security will be pushed under the rug.
Again, I do think its nice that this distro is coming out, I do applaud thier efforts. But no one can make a secure Linux or *insert OS here* distribution that will make me any happier. The secure distribution that is best is the one you put together yourself for the job at hand. You do this by taking the one that is easiest for you to use (the one you feel most comfortable with) and shredding it to pieces. Leave nothing but what is absolutely needed, then secure it - first from the network, then from the users.
I applaud efforts such as these, and I hope the end up with a successful distro. But I doubt they will. No matter what the headlines read, people want functionality before security. And while I hope to enjoy the fruits of thier labor on such a project, I will most likely never use it in production.
Instead I will end up looking at how it works, and taking the bits and pieces that I think I can gain the most secure functionality from. Possibly even repackaging them for easier installation on my own personal favorite distribution.
A grand idea indeed. But I much prefer the right tool for the right job approach, then the use a flamethrower to light my cigarette approach.
Don't let Mindcraft "mind craft" this into a Linux/Novell idiots campaign. Idiots like this were around long before Linux became a hit. These are the type of people that scurry around trying to crash other peoples computers because they have nothing better to do and because they have little other power in real life. The feel 'empowered' by the anonimty of the keyboard.
Only a retarded reported for a web based media outlet would try to make a case that these kind of people represent any large group of people as whole. Generally people have more sense than that.
My advice? Remove this story from slashdot because it is not a story worth telling. MindCraft is only showing its own insecurity in posting those emails. The real power lies in knowing what is truly important and ignoring the rest.
So much said with so little substance. Its frighting to see that someone like Metcalfe can get paid to write fantasy stories for a trade magazine.
Anything that doesn't make money is communist? I guess I've given away my last perl script. I'd hate to be blackballed in a senate hearing soon. Please.
Linux the peace, love and flowers OS? Me thinks the Metcalfe has been smoking too many of the flowers. Try to sell that allusion to Dell who just made about $100,000 for the servers we bought from them, which immediately had Linux installed on them for a web farm and email servers.
You know I love a good fight, and Metcalfe obviously has his opinions that this one won't be won by Linux. But please, Bob, if your going to write about Linux's poor ideology (IYO), figure our what the ideology is first. And by my calculations that should leave you with pretty much nothing to write about. Because this isn't Apple friend. There is no one stream of thought being lead by an egomaniac. This is Linux, and there are at least 7 million ideologies here.
Communists. Hippies. Leave it to the stuffed shirts to fall back on such old fodder.
Slashdot Mirror
Somehow I think this story was mentioned purely so people could bitch about how the web page is designed, and more to the point how much it sucks becuase their browser can't view it correctly.
Large ISPs should consider doing this on all of their RAS equipment first and foremost. As has been previously stated in this thread, there are legitimate reasons not to do this on all border routers.
However, in my opinion, there are two real culprits to this problem.
Major router vendors are the primary culprit. This option should be on by default on all routers, and require a configuration change to be turned off. If it isn't turned off then every network you route to the outside world is automatically allowed to pass through. If it is turned off, then you just made a concience decision to run in a less secure environment - possibly a very legitimate decision, possibly not.
The secondary culprit, is the lack of concise and well written AUPs that are truly enforced. Ahhh if only it were legal and enforcable to have an AUP that said simply, "We allow no bullshit. And we decide what the bullshit is." But it isn't so write one that works.
Personally, if I were a DSL/Cable provider just starting up, I'd invest heavily in a bunch of decent NID systems and allow the traffic through. My AUP would state that you pay me first and last months DSL rent regardless of whether you are getting service, if you break my AUP. I'm sure all the mommies and daddies out there would be thrilled to find they have no Internet after the NID system found spoofed packets coming from juniors CPU.
[simplistic, but worthwhile...]
1. Gather your information.
2. Backup your logs.
3. When satisified with logs, and initial investigation, blackhole them at your perimeter.
4. Call your upstream, request blackhole at ingress point.
5. Begin tracking from logs and if your site is high profile enough tracking from all points up the line.
Invest in an opensource honeypot machine. Invest manpower in your choice of NID software.
Choose to take the high road. Customers will understand a downtime due to something like this. Customers won't understand that you decided to attack back at some ISP that didn't have a clue how to manage their machines.
Sure it may seem satisfying at the time to root an attackers server, but guess what... with almost 100% probability the hacker in question does not own that machine. And the person who does probably won't be thrilled that you just rooted his box. Same goes for a DoS retaliation. In these days of misconfigured proxies, IPv4 vulnerabilites, and weak TCP/IP stacks - the chances that you are actually hitting back at the right network are next to nil.
And to sum it all up... Even if you knew with 100% accuracy where the attack was coming from - what kind of moron would you have to be to decide to reverse attack instead of taking legal action against that network?
(Now if you work for some military or federal government agency and this is some suspected foreign power you are being attacked by... well... - disregard I guess.)
You don't really talk a whole lot about where and for what you are using the NFS box for. How is linux's NFS working for you?
All I've ever heard were horror stories about its poor implementation. Water under the bridge? Righty right?
I assume your sharing static content and image serving using the NFS shares. Perhaps you've even gone so far as to utilize qmail or the sendmail/procmail NFS mail hack in order to store your email on the NFS share?
What shyed you away from the Linux Virtual Server Project's implementation of load balancing? Or the mon+hearbeat+fake+coda solution for HA? Or is your "Oddessey" work based on this in any way?
Are you loadbalancing your firewalling BSD box? Or have we reached a critical point of failure at the firewall?
Very interesting stuff, I'd like to know more details though.
Okay... didn't exist at the time of the "press release" and didn't exist at the time of the article posting. (not on your server or the mirrors).
While I do appreciate the reply, I still have a problem with these types of press releases. When you post you have the goods... have them.
of asking you a question. Your creation sparked my involvment in computers, and more specifically at the time - the computer underground.
1. When computing was young, and the technology far surpassed the laws restricting its use - hacking (cracking) and phreaking were the tools of teaching to many youngsters who simply didn't have access to the latest and greatest hardware. In your opinion - are todays computer missuse and tresspass laws to strict or lax in the U.S.?
2. Rumor (heh) has it that you built and Steve Jobs sold blue boxes when you were both in college together. The AppleCat modem was by far the most powerful modem ever sold, and remained so for many years after its release. Programs like Cat's Meow revolutionized the world of phreaking at the time. How aware were you of the missuse(?) of the AppleCat modem in regard to phreaking?
3. Did you ever hang out with Capt. Crunch? Did he really lose his mind after his stint in prison?
(I never expect all of these to be answered)
Someone forwarded this link to me late last night. Doesn't look like its supposed to be public, but then... why post it on the net?
http://the.whole.net/~pheh/os9dumper.html
I'm not sure when I became Pro-MS. A yahoo maybe, but I draw the line at being called Pro-MS. It seems to me that many people consistantly think of the reference to Atlas shrugging (and no I'm not the only one to ever use it) as one man, one company. Well guess what - in just the same vein that all Microsoft developers (thos who develop software for MS) could be Atlas, so too could the entire Open Source movement.
I am consitently amazed at the venom, wrath, and blinded single mindedness that the mere mention of Microsoft or Bill Gates brings about in the majority of Slashdot readers. While it is true my reference was vauge - I honestly expected SOMEONE to get it correctly. In retrospect - I suppose I'm glad I got to see the other side instead.
-sarcasm-
Oh, and your right. Bill Gates and crew don't sweat for a living - Or create anything of any worth. Hell lets ban all their trademarks and copyrights while were at it! All they did was buy them all anyway right!? Power to the people!
-end sarcasm-
Quite the contrary. It will be their developers. Just as Atlas isn't always a he. It (the concept) doesn't always represent those directly connected to the company. Atlas shrugging in this instance could just as easily be all the Windows NT developers out there developing for Microsoft suddenly developing for Linux.
^on post do sarcasm
I'm just sitting here trying to figure out why you reply which stated: "I couldn't have said it better." ended up with a score of 2 - While my original post is still sitting at one. Sounds like a conspiracy to keep me down.
The hippies are trying to keep me down! Help! Help! I'm being opressed!
Microsoft up to its old tricks? Has Slashdot finally sunk to such depths that it needs to create bogus headlines like these?
Please name me one operating system that has to, and in many cases succeeds in inter-operating with so many other systems. The weight that Microsoft carries and the scrutiny under which it carries that weight should be a warning to everyone who wants them out of the way.
Asinine headlines like this one from "Roblimo" only have a place with the rest of the quacks looking for "the smoking man" and UFOs. Because you are making the rest of us look like those quacks when you post that garbage here.
Here is to hoping that Atlas shrugs.
(And take note this post was written in Netscape, under Linux 2.3.x)
You know what the perfect twist to this media driven saga would be?
To have JP, KW, and BM hold a press conference calling the media thier toys - proclaiming the whole ordeal a 'hoax'.
It truly is a shame to see (respectable?) publications like NYT, and Forbes even giving a shit about the pointless squables of a couple web site operators. Who gives a crap? The only thing that ever bothered me was the "computer security expert" moniker that JP ended up with, when I have seen no worthwhile work to back up such a title.
Such is life in the digital age I suppose. Just look at all the publications quoting Slashdot posts like this one.
1 (and only). Do you honestly consider yourself a computer security expert?
Why is it I hear the whining of scared little children calling to their mommies and daddies to help them feel safe again?
Truste didn't work? Fine, so be it. This doesn't mean I need mommy and daddy to make me feel safe again in this cold cruel world. Grow up! If privacy is a concern to you, change your habits. Truste failed? Then it will pay. It will become more and more meaningless to people. It will wither and die. From its compost something new will arise which may work better, thus evolution continues.
If there is a market for internet privacy authentication services then it will be filled.
Uncle scam can keep his privacy laws and efforts where they are needed, the regulating of himself.
Sure throw in a couple book suggestions to them, just to try to help them make back any money they have lost paying this "Tradmark Coordinator":
"Commiting Financial Suicide for Dummies"
"Buying Clues for Dummies"
"Reading for Dummies"
and suggest one for her too, just because your a good Joe:
"Name Changing for Dummies"
"Job Hunting for Dummies"
Hell they've probably already written half of those already.
Someone over at IDG needs to tighten up the reigns on its legal team a bit.
When pinheaded lawyers simply cruise the web for trademarks looking for people to sue its a good bet the president of the company needs to buy "Managing for Dummies".
When there aren't checks and bounds on emails such as this sent out of a company the size of IDG its a good bet that someone in the company needs to read "Setting Standard Operating Procedures for Dummies".
When IDG fails to appologize for the obvious faux pax its a good bet thier public relations department needs to read "Eating crow for Dummies".
And in case my spelling is at its usual worst, you can bet our bottom dollar that I haven't read "Spelling for Dummies".
So when is there going to be a contest to win every O'Reilly book ever published?
I know. I was typing quickly and only quickly glanced over what I wrote when done. My co-workers were only too happy to point that one out to me.
I am pleased you included the 'if' in your initial sentence. Being a part of the Slashdot community I most certainly do not think it consists either soley or primarily of any of the above. I do, however, think that a large percentage of the anti-harvard rehtoric was coming from exactly that stew of people you mentioned.
Exactly what community and its view was I representing in any of my posts? I was speaking soley for myself, using "I" almost everywhere. I am quite comfortable in the real world though not always happy to be a part of it. The people that seem to be unable to grasp the concept of the real world are those that are arguing the injustice of doing the "right thing" (legally, socially, and politically vs. doing the "right thing" morally, heartfelt, utopianly.
Yes, Harvard cares very little about what the Slashdot community has to say. We are talking about a learning institution with a history that dwarfs even that of computers in general. Never did I say they shouldn't give a rats-rear-end about what Slashdot readers have to say, simply that they don't.
special.
/*' there was a backup. So your analogy is mute. This is a poor analogy at best. How about if I give you a better one that I do agree with and is reasonable:
1) Intelligent people will support Harvard, ergo anyone criticizing their action must be intelligence challenged(tm).
Reply: Yes. But. Never did I say they would "support" Harvard. Not finding fault in something is not the same as supporting it. I'll even give you an anology to play with: "I can't fault the chicken for crossing the road, but its certainly not an action I would support." - I'll even give you a more relevent one - "I wouldn't fault Packet Storm's admin for posting his opinions of antionline's admin, but if I were hosting his box and recieved a letter like that, and had a familly to care for, its certainly not an opinion I would be able to support."
2) Censoring isn't very "Harvard", so rather than "censor" by requesting the removial of controversial materials, it is somehow more ethical and less "censorous" to go off half-cocked and delete EVERYTHING the site offered with no due process
You really think Harvard gives a rats-rear-end about the public criticisms from Slashdot readers and the 'haqer' community? You seem to think you wield a lot more power behind your keyboard than I think you do.
3) What harvard did was right. It was OK for them to spew FUD (untruths) because they needed "time."
Welcome to the real world. It isn't a pretty place and it hasn't been for as long as I've been alive. Harvard did what needed to be done at the time, yes.
If I understand your arguments correctly, burning entire libraries and spreading FUD about the personal lives and actions of the libraries is OK, even noble, as to do anything less (like lock up an objectionable book) would be "censorship." Anyone objecting to the burning of said libraries would clearly be stupid, as any intelligent person in the security community would support burning the entire library over the censorship the removal of one controversial book would imply. Interesting definitions.
A - The library wasn't burned. It was simply closed. Even if they did indeed 'rm -rf
"If I open a private library with an office complex from which I lease free space (lets just say I pay a dollar a month), I go into that relationship knowing that at any day I could be kicked out of that space. But lets take it a step further, you see at this library you can only check out books on terrorism. How to stop terrorism, how to start terrorism, terrorism-terrorism-terrorism. But in one section of my "library" I have nothing but deragatory comments about Jesse Helms. Corresopondence with him are posted, what I think about him is posted, deflamatory pictures of him are posted on all the walls in the section of my "library".
Does the lessor have the "OK" to kick me out of my "library"?
Harvard took the site down because it became to controversial for them to take the time to deal with. They were doing the security community a favor and the intelligent people in the community would never fault Harvard for doing what it felt had to be done at the time.
Sure, they would be praised if they had simply contacted Packet Storms admin and told him that the offensive material would have to go or they would be forced to shut down the site. But then they would have become censors. Censoring content just doesn't seem very Harvard to me.
What they did was right. The actions they took, and the preliminary FUD they spewed merely gave them the time they needed to weigh thier options, without bringing about the wild accusations and rumors that would have flown in the face of silence.
Speaking as a network security manager for a 10k user network and a former vicitim of hacking attempts and successes, I agree.
However, speaking as a user, and having bosses that want functionality first and security second, I feel I can safely back up my claim that the general populace want security second. I don't care how secure it can be, if its difficult to use it won't be used or it will be used improperly. I am constantly arguing the benifits of an application level (proxy) firewall over a circuit (packet filter) based firewall. Its a lost cause, the monitary benifit will almost always outweigh your perceived gain in security.
This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.
Yikes! Now that is a scary notion. Microsoft, Sun, SGI, HP, Red Hat, etc... all fail at this. Even relying on Bug Traq and the like for your security measures is only a secondary response to a primary issue. If someone is good enough, they will get in. And a distribution like this will give people like yourself a false sense of security. You do what you can, where you can, when you can. And you keep doing it over and over. You build application architectures as securely as you can, and then limit access to those applications to only the people who need the access. Then you stick in your safe guards against those who would attempt to thwart those restrictions. A generic rule of thumb at best, yes.
In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.
How large a network do you work in? Did you build the network yourself or did you have to take it over? How large is your security team? Maybe you know something fundemental that I don't. Security isn't as easy, and when you talk to the bean counters, if the possible loss isn't high enough then security will be pushed under the rug.
Again, I do think its nice that this distro is coming out, I do applaud thier efforts. But no one can make a secure Linux or *insert OS here* distribution that will make me any happier. The secure distribution that is best is the one you put together yourself for the job at hand. You do this by taking the one that is easiest for you to use (the one you feel most comfortable with) and shredding it to pieces. Leave nothing but what is absolutely needed, then secure it - first from the network, then from the users.
of the rainbow.
I applaud efforts such as these, and I hope the end up with a successful distro. But I doubt they will. No matter what the headlines read, people want functionality before security. And while I hope to enjoy the fruits of thier labor on such a project, I will most likely never use it in production.
Instead I will end up looking at how it works, and taking the bits and pieces that I think I can gain the most secure functionality from. Possibly even repackaging them for easier installation on my own personal favorite distribution.
A grand idea indeed. But I much prefer the right tool for the right job approach, then the use a flamethrower to light my cigarette approach.
Don't let Mindcraft "mind craft" this into a Linux/Novell idiots campaign. Idiots like this were around long before Linux became a hit. These are the type of people that scurry around trying to crash other peoples computers because they have nothing better to do and because they have little other power in real life. The feel 'empowered' by the anonimty of the keyboard.
Only a retarded reported for a web based media outlet would try to make a case that these kind of people represent any large group of people as whole. Generally people have more sense than that.
My advice? Remove this story from slashdot because it is not a story worth telling. MindCraft is only showing its own insecurity in posting those emails. The real power lies in knowing what is truly important and ignoring the rest.
So much said with so little substance. Its frighting to see that someone like Metcalfe can get paid to write fantasy stories for a trade magazine.
Anything that doesn't make money is communist? I guess I've given away my last perl script. I'd hate to be blackballed in a senate hearing soon. Please.
Linux the peace, love and flowers OS? Me thinks the Metcalfe has been smoking too many of the flowers. Try to sell that allusion to Dell who just made about $100,000 for the servers we bought from them, which immediately had Linux installed on them for a web farm and email servers.
You know I love a good fight, and Metcalfe obviously has his opinions that this one won't be won by Linux. But please, Bob, if your going to write about Linux's poor ideology (IYO), figure our what the ideology is first. And by my calculations that should leave you with pretty much nothing to write about. Because this isn't Apple friend. There is no one stream of thought being lead by an egomaniac. This is Linux, and there are at least 7 million ideologies here.
Communists. Hippies. Leave it to the stuffed shirts to fall back on such old fodder.