I saw the Top 75 Security Tools survey you did. Lots of great tools there. But I can't help but think that the security community still has plenty of tools that need to be written. So I'm curious what kind of new tools would you like to see written , re-written from scratch, or merged together to create a better tool? Basically, where do you see the missing pieces in the security community toolkit? What kinds or pieces of software would you encourage people in the slashdot community to write?
What you're basically asking for is an IDS product which sits inline of the data-stream and can make
policy decisions based up the content of the packets rather then the protocol (which is what a firewall does). Being inline is important because alternative solutions such as sending TCP resets or modifying a firewall/router rulebase aren't always effective as the Slammer/Sapphire worm illustrates (it was both UDP and contained in a single packet).
Some important things to consider when looking at an inline IDS are:
Accuracy. Since you're dropping traffic, false positives are much more problematic then with a sniffer based IDS.
Management. You'll end up wanting to tune the IDS policy more then with a traditional IDS. Look for something which scales for your organization and makes it easy to specify: where to look, what to look for, and what to do about it. Remember, the best technology is worthless if you can't effectively manage it.
Scalablity. Sensors must be able to scale to your traffic needs and the management system needs to be able to scale to the number of sensors you need.
HA. If it's inline, you're going to need some kind of failover or high-availabilty option, not to mention make upgrades less stressful.
Updates. Some vendors update their signatures once a week. Others once every few months. Most fall somewhere in between. Be sure to ask before you buy.
Stability. Not just the sensor stability, but the company behind it. A lot of the inline IDS's available today aren't sold by the well known IDS players but by smallers startups who may or may not have the $$$ to last.
Now for the shameless plug, NetScreen sells a kickass inline IDS which I, as an employee/developer highly suggest you check out: http://www.netscreen.com/products/idp.html
While I agree with your sentiments, not everything you said was true. The statement about CA banning for safety reasons polymer framed guns is provably false as both Glock and H&K are allowed to be imported into CA.
Ironically, this law tends to keep out as many high quality (read semi-custom and custom) guns out of CA as saturday night specials (which are generally illegal anyways) since the smaller shops such as Rock River Arms, Wilson, and Baer can't afford to send any or all of their model firearms for "testing". These guns cost between $1000 and $5000 (and more) and are designed for accuracy and high-reliabilty.
Of course cheap knockoffs ($400) imported from the Phillipines (such as Charles Daily) which sell 100's of guns in CA each year can afford the fee.
Even worse, you can't import guns which are no longer manufactured, since the manufacter won't pay the money to renew their license with the CA gov't. This means that firearms like the Smith & Wesson 10xx series (which were standard issue for the FBI for a number of years) can no longer be imported into CA. Not because it's an unsafe gun, but because S&W won't pay the fee. This of course creates an artifical short supply for these guns which of course means that the price is often 2x that of the rest of the country- if you can even find one.
Of course pro-gun control people like Diane Fienstine don't care about such realities. She like a number of other CA politicians carry concealed firearms. (She got herself deputized so by law she must carry. Funny how an average citizen like myself can't do that!)
Ok, well that's not completely true- it wasn't the *only* reason.;-) The one thing I noticed though was that while the Xbox's graphics are better than anything else out there, the games aren't as good as those on the PS2.
A friend of mine picked up an Xbox and I've had a chance to watch him play a few games. Honestly they all look really good, but I'm not all that impressed with the games themselves. Halo has this annoying habbit of stalling for a breif second (in addition ot the short loads between areas of the map) which would drive me nuts in a FPS. And honestly, not having a mouse/keyboard sucks.
Frankly, I'm loving GTA3, GT3 (much better then PGR IMHO), Devil May Cry, etc on my PS2 much more than anything on the Xbox. Even though DOA3 has much nicer graphics than TTT, I still prefer TTT because once you look at everything else, TTT is a better game.
Honestly, the only game on the Xbox I've seen so far that plays as good as it looks is Munch World. But let's face it, between Munch World and FFX, I'll take FFX.
Re:You pay for performance
on
Future Of IDS
·
· Score: 1
Looked at the report. And their performance section is crap. Why? Simple... they used a SMARTBITS.
Say you have a NIDS and you know about various protocols: ftp, telnet, ssh, http, smtp, snmp, h.323, etc.
Now you have an ethernet frame which reaches the NIC, it has an ip header in it. You pass it up to the NIDS.
The NIDS says, cool, something to look at. And runs it's various signatures/protocol analysis (PA) against the packet. But NIDS vendors aren't totally incompetent- they realize it doesn't make sense to apply ftp sigs/PA against anything other than ftp. Same goes true for every other protocol. This not only reduces false positives, but significantly improves performance as well (since you do fewer tests/packet).
So what happens when a SMARTBITS generates traffic? Well it can't create a vaild TCP stream, let alone a vaild HTTP connection, so the NIDS isn't going to do all those expensive checks for any SMARTBITS generated traffic. The result is that all the SMARTBITS traffic is never processed like "real traffic" which artificially inflates the performance of the NIDS.
NSS even realizes this is a problem (if you read between the lines) on pg 167 when they say "future tests will continue to enhance the 'real world' packet mix... by including complete sessions".
This is why a SMARTBITS works great for testing routers/switches/etc- they don't bother looking into the data portion or even the header info for protocols above layer 3.
Re:You pay for performance
on
Future Of IDS
·
· Score: 1
No, I'm not saying SMARTBITS isn't sufficent to test a NIDS alone- I'm saying that using a SMARTBITS is compelete assinine to test a NIDS since SMARTBITS is designed to test routers and switches not devices which deal with layers 3 and up such as NIDS and firewalls.
If you can find me one NIDS review by a reputable 3rd party where they hooked up a NIDS to a SMARTBITS and reported the results I'll take it back.
As for ISS/NetICE/Snort... my point was this:
- ISS false positives so much that it is completely worthless. Now that they've got the NetICE tech, they should be able to fix this- time will tell.
- Snort false positives way too much too (see an earlier post by me on this topic)
- NetICE missed 45% of the attacks that NWC threw at it. Pathetic. I blame this for lack of signatures (which ISS/Snort/Dragon have and did significantly better in the test).
Re:You pay for performance
on
Future Of IDS
·
· Score: 1
Any IDS vendor that is using a smartbits to test their NIDS should be flogged and then shot in the kneecap.
Why? Because a smartbits doesn't generate "real" application traffic. They don't do ftp, http, smtp, h.323, etc. So what point is there in using it to test/benchmark the throughput of a NIDS which needs to look into these protocols? None- which is why a smartbits is used to test routers, switches and things of that nature- not NIDS or firewalls.
Fact is I've used both ISS and Snort, and frankly they both suck. Both false positive up the wazoo. Only now that ISS is integrating the technology from NetIce are they able to have decent accuracy- and even then they've got a long way to go.
Not to mention trying to compare NetIce to Snort is like apples and oranges. NetIce does protocol analysis and snort is mostly signature based. Anyone in the industry who is honest will tell you that sigs will detect more attacks but require more processing time than PA. The recent test by Network Computing is a good indication of this. (NetICE found 5/9, snort 8/9, Dragon, another sig based system found 9/9 attacks)
But when is Snort going to get good sigs?
on
Future Of IDS
·
· Score: 5, Insightful
I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...
Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:
1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.
2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.
3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.
4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.
Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.
Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.
1) Started doing PC desktop support
2) Company wanted me to help with the Novell servers, so they trained me. Started playing with Linux on my own.
3) Next job did pc support + novell and learned about IP networking and routers. Did more Linux on my own.
4) Next job hired as a network engineer (manage the routers, switches, etc) and started helping out on the Unix side of things. By the end of the job (4 years) I knew more about Unix than most of the Unix admins and was basically doing Unix admin 50% of the time.
5) Current job doing all sorts of Unix and security things.
Honestly, I got luckly. My 3rd job was a small internet startup which wanted someone who was smart and was willing to train since they didn't want to spend much $$$. Of course this was in the middle of the.com revolution, so finding good people who knew something was really really hard. Now that the bubble has burst, companies know they can find quality tallent and don't have to train people.
My current company layed off most of it's technical staff a number of months ago, and of my friends with 2 years experiance, none have found anything. (Well, one friend moved to Switzerland and just got a consulting job yesterday.) One of them with just under a year experiance, hasn't even gotten an interview. At least here in the Silicon Valley, things are the shits for people who don't have years of experiance.
Of course, the effect of penentrating so well (actually, it OVER-penetrates), is that the 9mm sucks in actually keeping someone down after one shot. 9mm isn't designed to actually kill someone- which is why NATO uses it. Right now, 99% of you are "HUH?", so let me explain...
What happens in the battlefield when you seriously hurt, but do not kill your enemy? Well, perfectly healthy bad-guys now have to go get said injured person and bring him back to the medics. This means that for each person hit, two or so more people are taken out of the fire-fight as they try to deal with their injured buddy. Hit enough people like this, and their supply lines are now full of injured people, not to mention the psychological effect it has on your opponent.
On a side note, a 9mm,.357Mag,.357Sig, and.38 are all basically the same size bullet, though if I were going to pick one to knock someone down, I'd go with the.357Sig (same balistics as the 9mm +P+ load, though the.357Sig has about 100fps on the +P+ in any bullet weight). Personally though, I'll take a 10mm,.40S&W, (10mm is basically a.40S&W with a longer case) or.45ACP in a hollowpoint over any nine for one-shot knockdown punch. Not only are the rounds bigger/heavier, but they're not so fast that you have to worry about over-penetration- so you'll actually do some serious damage to the target assuming you get a solid hit.
This argument that Microsoft is making is the same stupid argument that was made by Richard M. Smith on Friday Aug 10, 2001 shortly after Code Red.
The short story is that eEye's announcement had absolutely nothing to do with Code Red. The person(s) who developed Code Red figured out the exploit on their own. For more details check out Marc Maiffret's (of eEye) email to the Bugtraq list: http://www.securityfocus.com/cgi-bin/archive.pl?id =1&mid=203550
People who argue that full disclosure is harmful just fail to realize the facts of the matter- people who write these attacks all aren't script kiddies and they're quite capable of developing attacks on their own. And the reality is that most vendors only respond to full disclosure to actually fix bugs (and even then it takes too long).
The GPL isn't even close to tyranny. Here's why...
"inventing a new maneuver" would indicate a new implimentation of "fishing". This would be anagalous to reading the source code of Samba and then writing your own implimentation of the SMB protocol, but not using the actual code. This is perfectly valid under the GPL.
However, if after reading a book I wrote and GPL'd on fishing, and if you came up with a new maneuver BASED on one you read, then yes, you'd have to share. It's not tyranny, because nobody is forcing you to read my book. If you don't like the rules, come up with your own fishing trick on your own.
Don't complain that I'm making you release your fishing technique if you couldn't come up with it on your own.
Detection of encryption is generally pretty easy- while the data is random, generally you have headers/footers which make it obvious.
Of course, more sneaky people could easily strip the headers and send and the reciever put them back (generally the headers are pretty static).
Even more sneaky, would be to use a form of stenography which places the encrypted stream inside of a music, image, or movie file (mp3, jpeg, etc).
The reality though in my opinion is that key-escrow is doomed. Just too complicated/difficult to do/enforce. It's a lot more effective to just say "Give us your key or we'll throw you in jail for obstruction of justice until you do." At that point it's basically up to you to prove you don't have the key. (And how does one go about proving you don't know or have something anyways?) And from the government's postion, they prolly don't really care if you ever give it up- you're already in jail.
The reality is that there's enough strong encryption available today that doesn't have back doors that there's nothing to prevent criminals from using that. If they're smart enough to use encryption, they're not going to be dumb enough to use encryption that they know the gov't can break. All it does is criminalize perfectly law abiding citizens.
Now, it's not really that bad. Things would be a whole lot better in the world of Windows security if two things happened:
1) Microsoft shipped their OS in a reasonably secure-by-default configuration. Now, I realize that if they did the OpenBSD and shipped with everything turned off their users would scream, but the reality is that MS has enabled a lot of things that the average user really doesn't need.
2) People actually patch their systems regularly. People go to gas stations and pump their own gas (well in most areas of the world), and it really isn't that much more difficult to install security patches. Just go to the MS web site, download, and install. Honestly, part of me feels that people should have to get a computer license to connect a computer on the public Internet, just like driving a car on public streets.
I'll be the first to admit, that neither of these are going to completely solve for the problem, but either would definately make a rather dramatic impact to these sorta things.
1) Not the US's fault that the UK economy wasn't strong enough and ended up going bankrupt, but at least the US was nice enough to forgive all your debt. I'm not saying what the UK did wasn't great and all, but we all realize that the UK saw the writing on the wall- they were going to be next. It was in their own best interest to help Poland. Better to fight the war on Polish soil than on their own. And how many more millions of people would of died in those years while the UK got the resources to invade Europe?
2) As for Iraqi civilans, again not our fault that the Iraqi military intercepts our humanitarian aid. The US has been very clear and supportive of the UN resolution requiring Sadddam to let inspectors visit suspected bio/chem factories. Damn straight we (and the rest of the world) should be agressive and try to limit Saddam's access to weapons of mass distruction. If Saddam priortized his own people's well-being above his ability to kill others the Iraqi people wouldn't be in this mess.
3) As for Cuba... well shit, maybe if they hadn't let the Russians install nukes in our backyard we wouldn't of gotten so damn pissed. Perhaps it's not sensible or reasonable, but it's hard to blame us for our response. Not like Castro is worthy of help (notice his comments regarding the WTC). The reality is that the US has always supported democracies in the world and given the finger to communisim.
4) Did we help Iraq against Iran? Yep. Does the US have a history of helping people who then hurt us? Yep. Does this make a strong argument that our leaders in the past have been pretty damn stupid at times? Yep. Did we tell Saddam, "Go ahead, invade Kuwait, see if we care." Nope.
As for your final argument that the US gives people reason to attack a bunch of stock brokers and bankers, I find that highly offensive. Face it, these people were by and large innocent. Regardless of what the US has done in the past, two wrongs still don't make a right.
Of course the issue is Intel going to give us a choice? Of course not. That's why the i845 chipset only supports the older PC133 SDRAM and not the newer/faster DDR SDRAM. By limiting support to PC133, you can't truely take advantage of the P4's memory throughput potential.
No, expect Via to come out with the real cost/price performer based on DDR SDRAM, which is of course why Intel is suing Via so that Intel can keep control of of the P4 platform and thereby increase it's revenues.
At times like this, I'm reminded of the following quote:
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin
Honestly, I have to admit that while I disagree with RMS's way of advocating this position (it would be nice for him to once try to sound calm and rational rather than ranting like a confused drug addict) I do agree with his overall point.
The reality is that there are those in government who believe that the police and other law enforcement agencies need more power to deal with technology (Carnivore, key-escrow, lower requirements for wiretaps) and that in many cases these are violation of our liberties. People may argue that only the guilty need to fear, but the reality is that our own history has countless examples of illegal government actions against law abiding citizens who's only "crime" was thinking differently than the governments position on key aspects of society and speaking about it. Basically for exercising their constitutional right of free speech, people have been harrassed and jailed (remember McCarthyism?).
We all should write our Congress-persons and Representative and let them know (in a calm and rational way) that we as a society should not let the actions of a few limit the liberties of the many. We all can post as much as we want on slashdot, but we're just preaching to the choir.
There's a big difference between being happy about Iraq getting it's war machine hit and dancing in the streets when you see dead bodies being pulled out of the rubble.
The real difference between the bombing of Bagdad and the WTC is that the US went out of its way to avoid civilian buildings (often taking a risker route through the air defenses) while the terrorists did the opposite. Were civilians killed by our bombs? Of course. But we can honestly say that we as a nation did our best to avoid needless civilian deaths, but war is war and you can't always prevent it 100%.
Oh, I see... we should kill a bunch of bankers becuase destroying a F16 factory wouldn't be effective enough! Yeah, that's a great reason to kill a bunch of innocent people.
I'm not sure what I'd do. But committing terrorism sure isn't one of them! There is no justification for this (don't give me this David vs. Golith crap).
We send them food and medical supplies. Unfortunately, the Iraqi military intercepts it and sells it on the black market. Sometimes you can't help a people who aren't willing to help themselves. Not saying we shouldn't try, but sometimes there's nothing you can do (getting rid of Saddam is a worse idea... see an above post as why).
no idea what you're talking about, but it doesn't sound like fun to me.
Oh please, don't even try to compare a terrorist act to the Gulf War. Also, I think people were more happy that our boys came home and we helped out than because "we just gone and killed a bunch of evil Iraqi's". At least that's my thoughts on the matter.
We do not "expect principal plus interest". Shit, in WWII we didn't ask for principal or interest. And yep, it's ironic that we created Saddam and bin Ladden. Sad too. I'm sure at the time when they were figting Iran and Russia it made a lot of sense to us then. I bet our leaders of the time are kicking themselves in the butt now. Sucks to be us. Hind-sight is always 20-20.
Seriously... you really believe the government controlled news reports from Iraq? I'm not denying that some people are dying. But:
It's surely not as bad as Saddam would like you to believe.
Would stop immediately once Saddam allowed the UN to complete it's inspections.
Wouldn't be so bad if the food and medical suplies that the US and the rest of the world sends them weren't intercepted by the Iraqi military and then sold on the black market.
I'm not saying that we're innocent, but you're deamonizing the wrong country.
Yes, yes, the whole world (except for Iraq and Iran it seems, though I'm sure I'm leaving out a few) have "pledged their support". It's nice. But words are cheap and easily forgotten- especially in the international community. When those words are backed up by action then I'll appreciate it more.
Yep, Brittan was bankrupt after WWII. And rather than collecting, the US forgave BILLIONS and BILLIONS of debt. Not to mention all the money and weapons that the US gave Brittan during almost oll of the war so it could protect itself and Poland.
I don't understand why everyone EXPECTS Americans to die for every other country in the world every time there's a war right away. Becuase we didn't go to war right away we're bashed, and people seem to forget that without us, most of Europe would be speaking German or Italian right now.
As for the target selection, the reality is that it was becuase it was a high death count and because it was symbolic. The reality is that it isn't really going to hurt us economically.
As for Iraq... yeah... that's right, "protection from American aggression". Let's forget the fact that virtually every NATO country was involved in the Gulf War and that Saddam started it. Why should the international community (remember these were UN inspectors) give into Saddam?
As for "finishing the Gulf War" you're the ignorant one. Just take a look at the political environment in the region. What happens when you destroy Iraq completely? I'll tell you what, you've just started ANOTHER war as Iran moves in. And if Iraq saw it's end being near, they would of launched bio or chemical weapons at Israel, who WOULD of retaliated with nuclear weapons.
So by stopping where we did, we prevented things from getting much worse. May not be the perfect solution (it surely isn't) but I don't see a better one.
Ok, I'll agree that Canada has helped us on more than one occasion. Numerous times as a matter of fact. But the hard truth is that the amount that other countries have helped the US is a drop in the bucket compared to the other way around. And even now, the amount of support that other countries are giving us is mostly symbolic- which isn't to say that it's worthless.
As for last to help in WWII, give me a break. If it wasn't for the US's loans and weapons, England would of fallen to Hitler years before our boys were paying the ultimate price to save Europe. And then after the war, we forgave TRILLIONS in debt and even helped our enemies rebuild. Read up on the Marshall Plan the next time you think the US doesn't do much to help out the international community.
Ironic isn't it that when the world condems us either way. We're fucked when we don't help fast enough (WWII), and we're fucked when we go full bore into the middle of the conflict (Gulf War). And then when we don't help in every single conflict in the world, people bitch we don't help enough.
Give me a break. We do what we can, when we can. Sure, when we help it is often for our benifit, but we've still done more than any other country in the world. Again, if you don't like the US foreign policy, then tell your government to fill in the gaps.
I've never claimed that the US is perfect, but before you condemn us at least take a step back and look at the whole picture.
Oh please.... Trying to compare this to what's going on with the Palestinains or in Iraq is ludicrous. Let's count the ways:
If this act was because the US has armed Israel, why then didn't the terrorists go after General Dynamics, Lockheed, Ratheon, or another US company which develops and sells these weapons? Why are they killing a bunch of bankers and stock brokers instead of the guys who developed the F16?
As much as you might dislike what Israel is doing to the Palestians, they're not the one's going around and intentionally bombing pizza joints and wedding receptions. I have a hard time condeming Israel going after terrorists who are killing people who's only crime is trying to get married.
If Saddam didn't put his own people in harms way (can you say "human shield"?) they wouldn't get hurt when the US bombs legitiment military targets.
And if the sanctions are so horrible in Iraq, then why doesn't Saddam simply comply with the UN resoultions and allow them to inspect for bio and chemical weapons? Why is Saddam choosing developing weapons of mass distruction over the welfare of his own people?
When was the last time American's were dancing in the streets because some Palestians or Iraqi's died in an attack? Honestly, that's what has me the most sick. It's one thing for someone to be a terrorist and kill a few thousand people, it's even worse to be happy about it.
Yes, everyone loves to complain about American foreign policy. Of course whenever there is any natural disaster or other event (like war) which destroys a nation, the US is always the first there to help and you don't hear people complain then. The US singlehandedly rebuilt most of Europe and Japan after World War II, not to mention countless times we've sent aid to countries for famine, disease, or other natural disasters. Maybe if the rest of the world wasn't so fucked up we wouldn't have to keep getting involved all the time. Somebody has to be the world's police officer and I don't see anyone else asking to fill the role. Oh, and when was the last time another country came and offered help to the US when we had a natural disaster? I don't remember anyone offering help after the San Francisco Loma Predia quake or the hurricanes in Florida. Hell, I don't see Japan, England, France, China, or anyone else for that matter helping us now other than making a few strong statements to the media which will be forgotten in a month.
Frankly, anyone who thinks terrorism is "deserved" or "acceptable" or that "they deserved it" is morally corrupt in my opinion. The whole purpose of terrorism is to attack the innocent population for political purposes. There is no moral high-ground or legitimate reason for terrorism.
First, let me say: once every 13 weeks? Damn, that must me wonderful. The last company I worked for didn't have enough people for the rotation so you were on call about every 4 weeks. Needless to say, this had all the oncall people very pissed off and very stressed out. It wasn't uncommon for the person oncall to go 24 hours without sleep do to significant production problems. Anyways...
What you're talking about is generally considered 'comp time' and according to my now ex-HR department they couldn't do that in the state of California due to conflicting state/federal laws. What we did though is have an unoffical-offical policy that at you could take a 3 day weekend (we rotated Th-Th) at the end of it so you had either Friday or Monday off. This was done under the table so as not to count against vaction/PTO.
I think this policy was actually pretty good (definately a lot better than $60)- if they had enough people qualified to do the rotation I think they would of had much better luck keeping people.
Slashdot Mirror
I saw the Top 75 Security Tools survey you did. Lots of great tools there. But I can't help but think that the security community still has plenty of tools that need to be written. So I'm curious what kind of new tools would you like to see written , re-written from scratch, or merged together to create a better tool? Basically, where do you see the missing pieces in the security community toolkit? What kinds or pieces of software would you encourage people in the slashdot community to write?
Some important things to consider when looking at an inline IDS are:
Now for the shameless plug, NetScreen sells a kickass inline IDS which I, as an employee/developer highly suggest you check out:
http://www.netscreen.com/products/idp.html
While I agree with your sentiments, not everything you said was true. The statement about CA banning for safety reasons polymer framed guns is provably false as both Glock and H&K are allowed to be imported into CA.
Ironically, this law tends to keep out as many high quality (read semi-custom and custom) guns out of CA as saturday night specials (which are generally illegal anyways) since the smaller shops such as Rock River Arms, Wilson, and Baer can't afford to send any or all of their model firearms for "testing". These guns cost between $1000 and $5000 (and more) and are designed for accuracy and high-reliabilty.
Of course cheap knockoffs ($400) imported from the Phillipines (such as Charles Daily) which sell 100's of guns in CA each year can afford the fee.
Even worse, you can't import guns which are no longer manufactured, since the manufacter won't pay the money to renew their license with the CA gov't. This means that firearms like the Smith & Wesson 10xx series (which were standard issue for the FBI for a number of years) can no longer be imported into CA. Not because it's an unsafe gun, but because S&W won't pay the fee. This of course creates an artifical short supply for these guns which of course means that the price is often 2x that of the rest of the country- if you can even find one.
Of course pro-gun control people like Diane Fienstine don't care about such realities. She like a number of other CA politicians carry concealed firearms. (She got herself deputized so by law she must carry. Funny how an average citizen like myself can't do that!)
Ok, well that's not completely true- it wasn't the *only* reason. ;-) The one thing I noticed though was that while the Xbox's graphics are better than anything else out there, the games aren't as good as those on the PS2.
A friend of mine picked up an Xbox and I've had a chance to watch him play a few games. Honestly they all look really good, but I'm not all that impressed with the games themselves. Halo has this annoying habbit of stalling for a breif second (in addition ot the short loads between areas of the map) which would drive me nuts in a FPS. And honestly, not having a mouse/keyboard sucks.
Frankly, I'm loving GTA3, GT3 (much better then PGR IMHO), Devil May Cry, etc on my PS2 much more than anything on the Xbox. Even though DOA3 has much nicer graphics than TTT, I still prefer TTT because once you look at everything else, TTT is a better game.
Honestly, the only game on the Xbox I've seen so far that plays as good as it looks is Munch World. But let's face it, between Munch World and FFX, I'll take FFX.
Looked at the report. And their performance section is crap. Why? Simple... they used a SMARTBITS.
... by including complete sessions".
Say you have a NIDS and you know about various protocols: ftp, telnet, ssh, http, smtp, snmp, h.323, etc.
Now you have an ethernet frame which reaches the NIC, it has an ip header in it. You pass it up to the NIDS.
The NIDS says, cool, something to look at. And runs it's various signatures/protocol analysis (PA) against the packet. But NIDS vendors aren't totally incompetent- they realize it doesn't make sense to apply ftp sigs/PA against anything other than ftp. Same goes true for every other protocol. This not only reduces false positives, but significantly improves performance as well (since you do fewer tests/packet).
So what happens when a SMARTBITS generates traffic? Well it can't create a vaild TCP stream, let alone a vaild HTTP connection, so the NIDS isn't going to do all those expensive checks for any SMARTBITS generated traffic. The result is that all the SMARTBITS traffic is never processed like "real traffic" which artificially inflates the performance of the NIDS.
NSS even realizes this is a problem (if you read between the lines) on pg 167 when they say "future tests will continue to enhance the 'real world' packet mix
This is why a SMARTBITS works great for testing routers/switches/etc- they don't bother looking into the data portion or even the header info for protocols above layer 3.
No, I'm not saying SMARTBITS isn't sufficent to test a NIDS alone- I'm saying that using a SMARTBITS is compelete assinine to test a NIDS since SMARTBITS is designed to test routers and switches not devices which deal with layers 3 and up such as NIDS and firewalls.
If you can find me one NIDS review by a reputable 3rd party where they hooked up a NIDS to a SMARTBITS and reported the results I'll take it back.
As for ISS/NetICE/Snort... my point was this:
- ISS false positives so much that it is completely worthless. Now that they've got the NetICE tech, they should be able to fix this- time will tell.
- Snort false positives way too much too (see an earlier post by me on this topic)
- NetICE missed 45% of the attacks that NWC threw at it. Pathetic. I blame this for lack of signatures (which ISS/Snort/Dragon have and did significantly better in the test).
Any IDS vendor that is using a smartbits to test their NIDS should be flogged and then shot in the kneecap.
Why? Because a smartbits doesn't generate "real" application traffic. They don't do ftp, http, smtp, h.323, etc. So what point is there in using it to test/benchmark the throughput of a NIDS which needs to look into these protocols? None- which is why a smartbits is used to test routers, switches and things of that nature- not NIDS or firewalls.
Fact is I've used both ISS and Snort, and frankly they both suck. Both false positive up the wazoo. Only now that ISS is integrating the technology from NetIce are they able to have decent accuracy- and even then they've got a long way to go.
Not to mention trying to compare NetIce to Snort is like apples and oranges. NetIce does protocol analysis and snort is mostly signature based. Anyone in the industry who is honest will tell you that sigs will detect more attacks but require more processing time than PA. The
recent test by Network Computing is a good indication of this. (NetICE found 5/9, snort 8/9, Dragon, another sig based system found 9/9 attacks)
I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...
Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:
1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.
2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.
3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.
4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.
Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.
Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.
My short story is:
.com revolution, so finding good people who knew something was really really hard. Now that the bubble has burst, companies know they can find quality tallent and don't have to train people.
1) Started doing PC desktop support
2) Company wanted me to help with the Novell servers, so they trained me. Started playing with Linux on my own.
3) Next job did pc support + novell and learned about IP networking and routers. Did more Linux on my own.
4) Next job hired as a network engineer (manage the routers, switches, etc) and started helping out on the Unix side of things. By the end of the job (4 years) I knew more about Unix than most of the Unix admins and was basically doing Unix admin 50% of the time.
5) Current job doing all sorts of Unix and security things.
Honestly, I got luckly. My 3rd job was a small internet startup which wanted someone who was smart and was willing to train since they didn't want to spend much $$$. Of course this was in the middle of the
My current company layed off most of it's technical staff a number of months ago, and of my friends with 2 years experiance, none have found anything. (Well, one friend moved to Switzerland and just got a consulting job yesterday.) One of them with just under a year experiance, hasn't even gotten an interview. At least here in the Silicon Valley, things are the shits for people who don't have years of experiance.
Of course, the effect of penentrating so well (actually, it OVER-penetrates), is that the 9mm sucks in actually keeping someone down after one shot. 9mm isn't designed to actually kill someone- which is why NATO uses it. Right now, 99% of you are "HUH?", so let me explain...
.357Mag, .357Sig, and .38 are all basically the same size bullet, though if I were going to pick one to knock someone down, I'd go with the .357Sig (same balistics as the 9mm +P+ load, though the .357Sig has about 100fps on the +P+ in any bullet weight). Personally though, I'll take a 10mm, .40S&W, (10mm is basically a .40S&W with a longer case) or .45ACP in a hollowpoint over any nine for one-shot knockdown punch. Not only are the rounds bigger/heavier, but they're not so fast that you have to worry about over-penetration- so you'll actually do some serious damage to the target assuming you get a solid hit.
What happens in the battlefield when you seriously hurt, but do not kill your enemy? Well, perfectly healthy bad-guys now have to go get said injured person and bring him back to the medics. This means that for each person hit, two or so more people are taken out of the fire-fight as they try to deal with their injured buddy. Hit enough people like this, and their supply lines are now full of injured people, not to mention the psychological effect it has on your opponent.
On a side note, a 9mm,
This argument that Microsoft is making is the same stupid argument that was made by Richard M. Smith on Friday Aug 10, 2001 shortly after Code Red.
d =1&mid=203550
The short story is that eEye's announcement had absolutely nothing to do with Code Red. The person(s) who developed Code Red figured out the exploit on their own. For more details check out Marc Maiffret's (of eEye) email to the Bugtraq list: http://www.securityfocus.com/cgi-bin/archive.pl?i
People who argue that full disclosure is harmful just fail to realize the facts of the matter- people who write these attacks all aren't script kiddies and they're quite capable of developing attacks on their own. And the reality is that most vendors only respond to full disclosure to actually fix bugs (and even then it takes too long).
Nuff said.
The GPL isn't even close to tyranny. Here's why...
"inventing a new maneuver" would indicate a new implimentation of "fishing". This would be anagalous to reading the source code of Samba and then writing your own implimentation of the SMB protocol, but not using the actual code. This is perfectly valid under the GPL.
However, if after reading a book I wrote and GPL'd on fishing, and if you came up with a new maneuver BASED on one you read, then yes, you'd have to share. It's not tyranny, because nobody is forcing you to read my book. If you don't like the rules, come up with your own fishing trick on your own.
Don't complain that I'm making you release your fishing technique if you couldn't come up with it on your own.
Detection of encryption is generally pretty easy- while the data is random, generally you have headers/footers which make it obvious.
Of course, more sneaky people could easily strip the headers and send and the reciever put them back (generally the headers are pretty static).
Even more sneaky, would be to use a form of stenography which places the encrypted stream inside of a music, image, or movie file (mp3, jpeg, etc).
The reality though in my opinion is that key-escrow is doomed. Just too complicated/difficult to do/enforce. It's a lot more effective to just say "Give us your key or we'll throw you in jail for obstruction of justice until you do." At that point it's basically up to you to prove you don't have the key. (And how does one go about proving you don't know or have something anyways?) And from the government's postion, they prolly don't really care if you ever give it up- you're already in jail.
The reality is that there's enough strong encryption available today that doesn't have back doors that there's nothing to prevent criminals from using that. If they're smart enough to use encryption, they're not going to be dumb enough to use encryption that they know the gov't can break. All it does is criminalize perfectly law abiding citizens.
1) Microsoft shipped their OS in a reasonably secure-by-default configuration. Now, I realize that if they did the OpenBSD and shipped with everything turned off their users would scream, but the reality is that MS has enabled a lot of things that the average user really doesn't need.
2) People actually patch their systems regularly. People go to gas stations and pump their own gas (well in most areas of the world), and it really isn't that much more difficult to install security patches. Just go to the MS web site, download, and install. Honestly, part of me feels that people should have to get a computer license to connect a computer on the public Internet, just like driving a car on public streets.
I'll be the first to admit, that neither of these are going to completely solve for the problem, but either would definately make a rather dramatic impact to these sorta things.
1) Not the US's fault that the UK economy wasn't strong enough and ended up going bankrupt, but at least the US was nice enough to forgive all your debt. I'm not saying what the UK did wasn't great and all, but we all realize that the UK saw the writing on the wall- they were going to be next. It was in their own best interest to help Poland. Better to fight the war on Polish soil than on their own. And how many more millions of people would of died in those years while the UK got the resources to invade Europe?
2) As for Iraqi civilans, again not our fault that the Iraqi military intercepts our humanitarian aid. The US has been very clear and supportive of the UN resolution requiring Sadddam to let inspectors visit suspected bio/chem factories. Damn straight we (and the rest of the world) should be agressive and try to limit Saddam's access to weapons of mass distruction. If Saddam priortized his own people's well-being above his ability to kill others the Iraqi people wouldn't be in this mess.
3) As for Cuba... well shit, maybe if they hadn't let the Russians install nukes in our backyard we wouldn't of gotten so damn pissed. Perhaps it's not sensible or reasonable, but it's hard to blame us for our response. Not like Castro is worthy of help (notice his comments regarding the WTC). The reality is that the US has always supported democracies in the world and given the finger to communisim.
4) Did we help Iraq against Iran? Yep. Does the US have a history of helping people who then hurt us? Yep. Does this make a strong argument that our leaders in the past have been pretty damn stupid at times? Yep. Did we tell Saddam, "Go ahead, invade Kuwait, see if we care." Nope.
As for your final argument that the US gives people reason to attack a bunch of stock brokers and bankers, I find that highly offensive. Face it, these people were by and large innocent. Regardless of what the US has done in the past, two wrongs still don't make a right.
No, expect Via to come out with the real cost/price performer based on DDR SDRAM, which is of course why Intel is suing Via so that Intel can keep control of of the P4 platform and thereby increase it's revenues.
For more info, read the i845 review on Tom's Hardware: http://www6.tomshardware.com/mainboard/01q3/010702 /
But let me save you your time: The i845 sucks. Really sucks.
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin
Honestly, I have to admit that while I disagree with RMS's way of advocating this position (it would be nice for him to once try to sound calm and rational rather than ranting like a confused drug addict) I do agree with his overall point.
The reality is that there are those in government who believe that the police and other law enforcement agencies need more power to deal with technology (Carnivore, key-escrow, lower requirements for wiretaps) and that in many cases these are violation of our liberties. People may argue that only the guilty need to fear, but the reality is that our own history has countless examples of illegal government actions against law abiding citizens who's only "crime" was thinking differently than the governments position on key aspects of society and speaking about it. Basically for exercising their constitutional right of free speech, people have been harrassed and jailed (remember McCarthyism?).
We all should write our Congress-persons and Representative and let them know (in a calm and rational way) that we as a society should not let the actions of a few limit the liberties of the many. We all can post as much as we want on slashdot, but we're just preaching to the choir.
There's a big difference between being happy about Iraq getting it's war machine hit and dancing in the streets when you see dead bodies being pulled out of the rubble.
The real difference between the bombing of Bagdad and the WTC is that the US went out of its way to avoid civilian buildings (often taking a risker route through the air defenses) while the terrorists did the opposite. Were civilians killed by our bombs? Of course. But we can honestly say that we as a nation did our best to avoid needless civilian deaths, but war is war and you can't always prevent it 100%.
Actually it's estimated that Israel has about 200 nukes: http://www.ceip.org/files/projects/npp/resources/i srael.htm
I'm not saying that we're innocent, but you're deamonizing the wrong country.
Yes, yes, the whole world (except for Iraq and Iran it seems, though I'm sure I'm leaving out a few) have "pledged their support". It's nice. But words are cheap and easily forgotten- especially in the international community. When those words are backed up by action then I'll appreciate it more.
Yep, Brittan was bankrupt after WWII. And rather than collecting, the US forgave BILLIONS and BILLIONS of debt. Not to mention all the money and weapons that the US gave Brittan during almost oll of the war so it could protect itself and Poland.
I don't understand why everyone EXPECTS Americans to die for every other country in the world every time there's a war right away. Becuase we didn't go to war right away we're bashed, and people seem to forget that without us, most of Europe would be speaking German or Italian right now.
As for the target selection, the reality is that it was becuase it was a high death count and because it was symbolic. The reality is that it isn't really going to hurt us economically.
As for Iraq... yeah... that's right, "protection from American aggression". Let's forget the fact that virtually every NATO country was involved in the Gulf War and that Saddam started it. Why should the international community (remember these were UN inspectors) give into Saddam?
As for "finishing the Gulf War" you're the ignorant one. Just take a look at the political environment in the region. What happens when you destroy Iraq completely? I'll tell you what, you've just started ANOTHER war as Iran moves in. And if Iraq saw it's end being near, they would of launched bio or chemical weapons at Israel, who WOULD of retaliated with nuclear weapons.
So by stopping where we did, we prevented things from getting much worse. May not be the perfect solution (it surely isn't) but I don't see a better one.
Ok, I'll agree that Canada has helped us on more than one occasion. Numerous times as a matter of fact. But the hard truth is that the amount that other countries have helped the US is a drop in the bucket compared to the other way around. And even now, the amount of support that other countries are giving us is mostly symbolic- which isn't to say that it's worthless.
As for last to help in WWII, give me a break. If it wasn't for the US's loans and weapons, England would of fallen to Hitler years before our boys were paying the ultimate price to save Europe. And then after the war, we forgave TRILLIONS in debt and even helped our enemies rebuild. Read up on the Marshall Plan the next time you think the US doesn't do much to help out the international community.
Ironic isn't it that when the world condems us either way. We're fucked when we don't help fast enough (WWII), and we're fucked when we go full bore into the middle of the conflict (Gulf War). And then when we don't help in every single conflict in the world, people bitch we don't help enough.
Give me a break. We do what we can, when we can. Sure, when we help it is often for our benifit, but we've still done more than any other country in the world. Again, if you don't like the US foreign policy, then tell your government to fill in the gaps.
I've never claimed that the US is perfect, but before you condemn us at least take a step back and look at the whole picture.
- If this act was because the US has armed Israel, why then didn't the terrorists go after General Dynamics, Lockheed, Ratheon, or another US company which develops and sells these weapons? Why are they killing a bunch of bankers and stock brokers instead of the guys who developed the F16?
- As much as you might dislike what Israel is doing to the Palestians, they're not the one's going around and intentionally bombing pizza joints and wedding receptions. I have a hard time condeming Israel going after terrorists who are killing people who's only crime is trying to get married.
- If Saddam didn't put his own people in harms way (can you say "human shield"?) they wouldn't get hurt when the US bombs legitiment military targets.
- And if the sanctions are so horrible in Iraq, then why doesn't Saddam simply comply with the UN resoultions and allow them to inspect for bio and chemical weapons? Why is Saddam choosing developing weapons of mass distruction over the welfare of his own people?
- When was the last time American's were dancing in the streets because some Palestians or Iraqi's died in an attack? Honestly, that's what has me the most sick. It's one thing for someone to be a terrorist and kill a few thousand people, it's even worse to be happy about it.
- Yes, everyone loves to complain about American foreign policy. Of course whenever there is any natural disaster or other event (like war) which destroys a nation, the US is always the first there to help and you don't hear people complain then. The US singlehandedly rebuilt most of Europe and Japan after World War II, not to mention countless times we've sent aid to countries for famine, disease, or other natural disasters. Maybe if the rest of the world wasn't so fucked up we wouldn't have to keep getting involved all the time. Somebody has to be the world's police officer and I don't see anyone else asking to fill the role. Oh, and when was the last time another country came and offered help to the US when we had a natural disaster? I don't remember anyone offering help after the San Francisco Loma Predia quake or the hurricanes in Florida. Hell, I don't see Japan, England, France, China, or anyone else for that matter helping us now other than making a few strong statements to the media which will be forgotten in a month.
Frankly, anyone who thinks terrorism is "deserved" or "acceptable" or that "they deserved it" is morally corrupt in my opinion. The whole purpose of terrorism is to attack the innocent population for political purposes. There is no moral high-ground or legitimate reason for terrorism.What you're talking about is generally considered 'comp time' and according to my now ex-HR department they couldn't do that in the state of California due to conflicting state/federal laws. What we did though is have an unoffical-offical policy that at you could take a 3 day weekend (we rotated Th-Th) at the end of it so you had either Friday or Monday off. This was done under the table so as not to count against vaction/PTO.
I think this policy was actually pretty good (definately a lot better than $60)- if they had enough people qualified to do the rotation I think they would of had much better luck keeping people.