What if you needed someone to configure a server, router, or firewall in an enterprise production environment? Would you want an IT professor or someone who has read wikipedia? My money's on a wikipedia reader. I'm a network security instructor myself, and only a handful of my peers I've worked with in academia have stepped foot in a data center in the last ten years.
Wikipedia shouldn't be treated as an expert source in a peer-reviewed journal, but it also shouldn't be dismissed as having no value for a researcher.
What we need is a supported, cross-platform means of deploying those settings to 1,000+ browsers. I know Firefox ADM is out there but there's no guarantee that those ADM templates will work with future releases. Plus that only applies to Windows system management. If Mozilla wants corporate customers to use their browser they need to offer corporate customers the same management options IE has.
1, The company could supply a company-owned PC to the contractors. That way there's some semblance of standardization and you're not supporting every device on the shelf at Best Buy.
2, Virtualization is an option. Use a Xen, VMWare, or Virtual PC solution and you can just put out minimum requirements for a user's home machine, and you get your management to agree that the IT shop only supports the virtual box.
3, Get creative about ways to accomplish management's objectives without saying "No". Maybe you can limit your scope of support to company provided applications and get a statement signed by each user that they're responsible foreverything besides applications x, y, and z. Or maybe you can limit support to web-based apps that you guys host.
4, Find a different job. No, seriously. It sounds like there's someone in the company with a job title of CxO that isn't listening to the managers who work under him/her. If that person or people aren't listening to you on this one they likely won't listen anytime you give them advice. Not a good corporate culture, imo.
Right now I get mad props at work for keeping bagel, netsky, and mydoom at bay through attachment and AV blocking, spam filtering, and a little bit of shell scripting. Here I was afraid that those would go away and I'd have to find something else to justify my existence within the next couple years. Now it looks like I'm in good shape til at least 2010. Thanks Microsoft!
ps - Other AV programs probably do this, but in case anyone's interested the firewall built into McAfee VirusScan Enterprise v8 blocks SMTP and IRC communication outbound by default unless the executable firing up the communication belongs to a specific set of known email and IRC clients. Good times...
I think the key is "tasteful" translation of the elements that make the game fun (Or scary or whatever else the game attempts to be) into elements that make the movie fun. The movie also needs the same elements that give any other movie, book, or play merit: engaging plot, character development, etc. It helps if those are drawn from the game and explored more fully in the movie, as opposed to the House of the Dead movie which basically had nothing in common with the games except zombies and guns.
Someone who has always impressed me as a class act is Wietse Venema. When someone on the Postfix mailing list asks a question that's already answered in the man pages, his response is polite and concise: "The answer to your question can be found in the (postconf|postfix|postsuper) man page". It's a response that is neither insulting nor dismissive, and it shows that Wietse thought about your question long enough to determine which man page has the answer, and maybe even asked himself if the explanation in the man page is sufficient.
It's just every time I get ready to leave the house it occurs to me that I could play Oblivion til I get one more level and next thing I know it's 4 in the morning and all the stores are closed.
Since Novell actively supports and develops Client32 for Windows, Groupwise for Windows, Zen for Windows, etc I hope they'll keep[ some Windows boxen around for developing and testing purposes. And since their PSE's support accounts that run Windows, those cats need to be using dual boot and/or virtualization setups as well. I say don't focus on how many desktops they didn't migrate to 100% Linux, focus instead on how many they did. I'm also willing to bet that if Novell weren't an IT company that had to develop and support software on Windows, they'd have migrated a much greater percentage of their desktops.
If my employer would give me a week to hang out at the house and tinker/learn then I'd be all over it, but they won't. They will however send me to training wherein I'll be out of town and the majority of my duties will be delegated so I can learn on my own without much distraction. Works for me.
I could understand if he was trying to prevent bad press, like the report that came out last year saying that Microsoft employees used iPods. Looks like this is more of a case of drinking a little too much of the kool-aid, and wanting to make sure his kids have some too.
I know this is an AC troll but I'm bored so I'll bite. Congrats AC, you've just proven one of two things. Either you've never worked as a security professional, or you're currently working as one and are soon to be unemployed.
If you run Windows, your shit will get pwned. The only question is when it will happen.
First I have to say, this is exactly the type of language I use when I make recommendations to my CIO. "We need to ripz0r out all these M$ W1nd0ze boxen," I'll tell him. "Or else they'll get pwnz3d and then we'll really be fux0r3d." Yah, that'd go over real well. Besides, a well-maintained Windows server is more secure than a poorly maintained Linux server. The quality of your sysadmins and the working relationship between them and your security team is a bigger factor than what OS the machines are running.
1. The number of users in your organization who are just straight up stupid and will run anything that arrives in their inbox. Stupid users with laptops that they use on their cable/DSL at home and then bring into the office chock full of malware count as two people.
You bring up two valid risks here. There are several countermeasures that are appropriate, but "Calling the users stupid" isn't one of them. A good security professional will first ask questions like "How can I block the unspeakable evils from coming into my users' inboxes?" and "How can I secure the company laptops so they can be plugged into the users' filthy nasty internet connections and stay clean?" That eliminates roughly 75% of the problem, and for the remaining 25% you have your information security policy and security awareness training.
2. The number of users in your organization who are too [self-]important to learn how to use their computer properly.
Or the number of alleged security professionals in the organization who are too lazy and unresourceful to prevent the computers from being used improperly. Don't have the resources to do that? Then get them. Can't get them? Then find a different job. Just not at my company.
The number of users in your organization who are exempt from your security policies because they are too important to be penalized for ignoring them (e.g. the upper-level manager who has full admin privileges on his PC, has LimeWire installed and surfs shady porn sites all day). All of those count as three people.
You should be blocking limewire at your firewall or with an IPS (assuming your company doesn't have a business need to run limewire... hey, it could happen). You should be using a web filtering product to block pr0n. Astaro isn't the best but it's pretty damn cheap. Exceptions to policy should be documented and approved by the CIO as an acception of risk. When that manager does something that causes a problem, use it to throw him under the bus.
When Novell chose to throw all their eggs into the Linux basket, they took a huge risk. The problem is they didn't really throw all their eggs in it. Here, imho, is what Novell must do to succeed:
1. Give away Zen, or at least parts of it.
Many of the features in Zenworks come part and parcel with active directory. There could be a Zen-lite that does the same things that AD admins can do through group policy. Include the ability to do similar tasks on Linux machines and Novell can go back from "keeping up with Microsoft" to "staying a step ahead of Microsoft". While they're at it, Novell needs to work include support for every aspect of Firefox, including a list of supported plugins and extensions, to amke it manageable through Zen. AD admins can mange the IE settings across their network with GRoup Policy, Linux admins need to be able to do the same thing.
2. Do the same thing with Red Carpet.
Novell either needs to give Red Carpet away or have a limited version that operates the same way SUS does. They could have a professional version that will also use a push architecture in addition to a pull architecture. Personally, I loved Red Carpet when I first heard of it. Patch management for my windows machines and my Linux machines? Score. Here's the problem: I can get patch management on all my windows machines gratis with SUS / WSUS. I've got less than 20 Linux servers in my environment, about 200 windows servers, and around 3500 windows workstations. How could I possibly justify $18 per seat for Red Carpet when I can run SUS for free and just have our admins manually patch the Linux Servers? Yes I know Microsoft is the source of the vulnerabilities in the first place, yes I know Novell shouldn't have to give away a product that cleans up Microsoft's mess for free. Y'know what though, money talks. By having to pay extra cash for Linux patch management, that adds to the TCO of Linux while Windows' TCO stays the same, giving Microsoft marketing more ammo to work with.
3. Improve the Yast firewall interface and add remote management via Zen.
For that matter, everytinhg you can do in Yast needs to be accessible remotely via Zen. In an AD environment I can manage the Windows firewall on all the machines in my domain via Group Policy. I need to be able to do the same thing in a Linux environment. And the Yast firewall interface is the only one I've seen that actually sucks worse than the Windows firewall interface.
4. Ratchet up support for Wine. Partner with Codeweavers, or acquire them.
Novell's Linux support needs to embrace Wine or another emulator to assist with Linux migrations. Their current approach of "Run a Terminal Server that hosts the Windows-only application" isn't going to cut it. Users want icons on desktops that run their applications. Clicking an item on the linux desktop, then logging into a termserver, then clicking an icon on the termserver, then logging into an app, isn't going to fly. If Novell really wants to be successful in migrating companies to Linux, they should partner with or acquire one of the Windows emulation projects, and offer "take your POS custom app that you bought from a vendor or coded in house and make it work on Linux" as a service with a one time fee and optional support.
I think what Novell's trying to do is great, but I see them hanging themselves with it if they don't stay a step ahead of their competition.
Excellent points all around. The only one I disagree with is wishing things were like they were ten years ago. Ten years ago corporate America hadn't been abused by security compromises to the point where every enterprise environment NEEDS a security person/team. I love things being the way they are now because a) I have a security job, and b)when I describe the potential impact of an incident, (most) people know I'm not bullshitting.
...players are asking anyone who wants to join a group to type one or two sentences in English. If the sentences contain spelling or grammar mistakes, the player is rejected.
Dude, this disqualifies damn near every gamer I've ever encountered.
One gets the feeling that the MS programmer didn't want to come in over the New Year's holiday to work on some piece of legacy code...
From reading the MSRC blog, I personally get the impression they've been working as hard as possible on a patch. While coding can be quick work, testing is a slow and painful process.
Having said that, the statement from Microsoft trying to minimize the impact of the vuln actually did them more harm than good, imo:
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
Almost any graphics file hosted on any server or embedded in any email could host exploit code. Furthermore, kits are out there that allow the kiddiez to put together their own WMF files that will get around AV and IDS signatures.
Bottom line - this is a serious vulnerability, and Microsoft should own up and admit that it is.
I know you're pseudo-joking, but I'd like to think that a Linux architecture where a graphics file could contain arbitrary code would get shot down pretty quick.
they realize you would have/could have committed nefarious acts _before_ giving notice
This is just a matter of sound risk management. An employee who is on the way out is an employee with little to no fear of repercussions, and therefore presents more of a risk than an employee who hasn't put in her notice. I've worked with people who seemed like they were 100% stand-up guys, but once they were on they way out they went on Total Dick Mode. It's a very reasonable practice to conduct an exit interview on the spot if someone puts in their notice, it may hurt your feelings a little bit but it protects the organization from loss. It sounds like both you and your employer conducted yourselves professionally.
My suggestion is, you and your hurt feelings enjoy the next two weeks of watching gilligan reruns on your former employer's dollar. You can also take the opportunity to read up on any new technologies you'll be working with. Or see if you can link up with some of your future coworkers for lunch, then you'll be able to hit the ground running at your new job.
A big factor is the security requirements of the data you're protecting. A manufacturing company's security needs are not the same as the NSA or as a small retail shop. If your organization has a security person or team who has the CIO / IT manager's ear they should be able to have a dialog about the acceptable levels of risk.
Where ITIL has its place is to direct IT leadership that have gotten distanced from technology and/or haven't kept up wtih things since their days as a tech.
Besides keeping management in line, ITIL (or any other methodology) forces techs to document their setups and procedures, something many of us aren't good at (or just don't like to do it).
I already put my foot in my mouth responding to a previous comment but I'll gladly do so again. Mmm, yummy. Could use a little ketchup though.
I was in a pissy mood but I had no right to fire a shot in your direction because of it. If I had mod points and could mod my own post down I'd gladly do so. Please accept my humblest apologies sir.
On a related note, I'm instituting a self-enforced ban on posting in tech forums right after getting out of a change control meeting.
From what I've seen it will only require Cisco devices at the access layer. It would have been nice if they had built it similar to Checkpoint's intrusion prevention, where the client talks 802.1x with the switch and deliberately fails its dot1x authentication if the agent doesn'tike something with the host's configuration.
Slashdot Mirror
What if you needed someone to configure a server, router, or firewall in an enterprise production environment? Would you want an IT professor or someone who has read wikipedia? My money's on a wikipedia reader. I'm a network security instructor myself, and only a handful of my peers I've worked with in academia have stepped foot in a data center in the last ten years.
Wikipedia shouldn't be treated as an expert source in a peer-reviewed journal, but it also shouldn't be dismissed as having no value for a researcher.
What we need is a supported, cross-platform means of deploying those settings to 1,000+ browsers. I know Firefox ADM is out there but there's no guarantee that those ADM templates will work with future releases. Plus that only applies to Windows system management. If Mozilla wants corporate customers to use their browser they need to offer corporate customers the same management options IE has.
1, The company could supply a company-owned PC to the contractors. That way there's some semblance of standardization and you're not supporting every device on the shelf at Best Buy.
2, Virtualization is an option. Use a Xen, VMWare, or Virtual PC solution and you can just put out minimum requirements for a user's home machine, and you get your management to agree that the IT shop only supports the virtual box.
3, Get creative about ways to accomplish management's objectives without saying "No". Maybe you can limit your scope of support to company provided applications and get a statement signed by each user that they're responsible foreverything besides applications x, y, and z. Or maybe you can limit support to web-based apps that you guys host.
4, Find a different job. No, seriously. It sounds like there's someone in the company with a job title of CxO that isn't listening to the managers who work under him/her. If that person or people aren't listening to you on this one they likely won't listen anytime you give them advice. Not a good corporate culture, imo.
Right now I get mad props at work for keeping bagel, netsky, and mydoom at bay through attachment and AV blocking, spam filtering, and a little bit of shell scripting. Here I was afraid that those would go away and I'd have to find something else to justify my existence within the next couple years. Now it looks like I'm in good shape til at least 2010. Thanks Microsoft!
ps - Other AV programs probably do this, but in case anyone's interested the firewall built into McAfee VirusScan Enterprise v8 blocks SMTP and IRC communication outbound by default unless the executable firing up the communication belongs to a specific set of known email and IRC clients. Good times...
I think the key is "tasteful" translation of the elements that make the game fun (Or scary or whatever else the game attempts to be) into elements that make the movie fun. The movie also needs the same elements that give any other movie, book, or play merit: engaging plot, character development, etc. It helps if those are drawn from the game and explored more fully in the movie, as opposed to the House of the Dead movie which basically had nothing in common with the games except zombies and guns.
Someone who has always impressed me as a class act is Wietse Venema. When someone on the Postfix mailing list asks a question that's already answered in the man pages, his response is polite and concise: "The answer to your question can be found in the (postconf|postfix|postsuper) man page". It's a response that is neither insulting nor dismissive, and it shows that Wietse thought about your question long enough to determine which man page has the answer, and maybe even asked himself if the explanation in the man page is sufficient.
It's just every time I get ready to leave the house it occurs to me that I could play Oblivion til I get one more level and next thing I know it's 4 in the morning and all the stores are closed.
Since Novell actively supports and develops Client32 for Windows, Groupwise for Windows, Zen for Windows, etc I hope they'll keep[ some Windows boxen around for developing and testing purposes. And since their PSE's support accounts that run Windows, those cats need to be using dual boot and/or virtualization setups as well. I say don't focus on how many desktops they didn't migrate to 100% Linux, focus instead on how many they did. I'm also willing to bet that if Novell weren't an IT company that had to develop and support software on Windows, they'd have migrated a much greater percentage of their desktops.
Zenworks for desktop management + red carpet for patch management.
If my employer would give me a week to hang out at the house and tinker/learn then I'd be all over it, but they won't. They will however send me to training wherein I'll be out of town and the majority of my duties will be delegated so I can learn on my own without much distraction. Works for me.
I could understand if he was trying to prevent bad press, like the report that came out last year saying that Microsoft employees used iPods. Looks like this is more of a case of drinking a little too much of the kool-aid, and wanting to make sure his kids have some too.
When Novell chose to throw all their eggs into the Linux basket, they took a huge risk. The problem is they didn't really throw all their eggs in it. Here, imho, is what Novell must do to succeed:
1. Give away Zen, or at least parts of it.
Many of the features in Zenworks come part and parcel with active directory. There could be a Zen-lite that does the same things that AD admins can do through group policy. Include the ability to do similar tasks on Linux machines and Novell can go back from "keeping up with Microsoft" to "staying a step ahead of Microsoft". While they're at it, Novell needs to work include support for every aspect of Firefox, including a list of supported plugins and extensions, to amke it manageable through Zen. AD admins can mange the IE settings across their network with GRoup Policy, Linux admins need to be able to do the same thing.
2. Do the same thing with Red Carpet.
Novell either needs to give Red Carpet away or have a limited version that operates the same way SUS does. They could have a professional version that will also use a push architecture in addition to a pull architecture. Personally, I loved Red Carpet when I first heard of it. Patch management for my windows machines and my Linux machines? Score. Here's the problem: I can get patch management on all my windows machines gratis with SUS / WSUS. I've got less than 20 Linux servers in my environment, about 200 windows servers, and around 3500 windows workstations. How could I possibly justify $18 per seat for Red Carpet when I can run SUS for free and just have our admins manually patch the Linux Servers? Yes I know Microsoft is the source of the vulnerabilities in the first place, yes I know Novell shouldn't have to give away a product that cleans up Microsoft's mess for free. Y'know what though, money talks. By having to pay extra cash for Linux patch management, that adds to the TCO of Linux while Windows' TCO stays the same, giving Microsoft marketing more ammo to work with.
3. Improve the Yast firewall interface and add remote management via Zen.
For that matter, everytinhg you can do in Yast needs to be accessible remotely via Zen. In an AD environment I can manage the Windows firewall on all the machines in my domain via Group Policy. I need to be able to do the same thing in a Linux environment. And the Yast firewall interface is the only one I've seen that actually sucks worse than the Windows firewall interface.
4. Ratchet up support for Wine. Partner with Codeweavers, or acquire them.
Novell's Linux support needs to embrace Wine or another emulator to assist with Linux migrations. Their current approach of "Run a Terminal Server that hosts the Windows-only application" isn't going to cut it. Users want icons on desktops that run their applications. Clicking an item on the linux desktop, then logging into a termserver, then clicking an icon on the termserver, then logging into an app, isn't going to fly. If Novell really wants to be successful in migrating companies to Linux, they should partner with or acquire one of the Windows emulation projects, and offer "take your POS custom app that you bought from a vendor or coded in house and make it work on Linux" as a service with a one time fee and optional support.
I think what Novell's trying to do is great, but I see them hanging themselves with it if they don't stay a step ahead of their competition.
Excellent points all around. The only one I disagree with is wishing things were like they were ten years ago. Ten years ago corporate America hadn't been abused by security compromises to the point where every enterprise environment NEEDS a security person/team. I love things being the way they are now because a) I have a security job, and b)when I describe the potential impact of an incident, (most) people know I'm not bullshitting.
Having said that, the statement from Microsoft trying to minimize the impact of the vuln actually did them more harm than good, imo:
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
Almost any graphics file hosted on any server or embedded in any email could host exploit code. Furthermore, kits are out there that allow the kiddiez to put together their own WMF files that will get around AV and IDS signatures.
Bottom line - this is a serious vulnerability, and Microsoft should own up and admit that it is.
I know you're pseudo-joking, but I'd like to think that a Linux architecture where a graphics file could contain arbitrary code would get shot down pretty quick.
My suggestion is, you and your hurt feelings enjoy the next two weeks of watching gilligan reruns on your former employer's dollar. You can also take the opportunity to read up on any new technologies you'll be working with. Or see if you can link up with some of your future coworkers for lunch, then you'll be able to hit the ground running at your new job.
btw - congrats on the new job, good luck with it.
A big factor is the security requirements of the data you're protecting. A manufacturing company's security needs are not the same as the NSA or as a small retail shop. If your organization has a security person or team who has the CIO / IT manager's ear they should be able to have a dialog about the acceptable levels of risk.
Where ITIL has its place is to direct IT leadership that have gotten distanced from technology and/or haven't kept up wtih things since their days as a tech.
Besides keeping management in line, ITIL (or any other methodology) forces techs to document their setups and procedures, something many of us aren't good at (or just don't like to do it).
I already put my foot in my mouth responding to a previous comment but I'll gladly do so again. Mmm, yummy. Could use a little ketchup though.
I was in a pissy mood but I had no right to fire a shot in your direction because of it. If I had mod points and could mod my own post down I'd gladly do so. Please accept my humblest apologies sir.
On a related note, I'm instituting a self-enforced ban on posting in tech forums right after getting out of a change control meeting.
From what I've seen it will only require Cisco devices at the access layer. It would have been nice if they had built it similar to Checkpoint's intrusion prevention, where the client talks 802.1x with the switch and deliberately fails its dot1x authentication if the agent doesn'tike something with the host's configuration.
Then I guess the Cisco SE's I met with last year were bullshitting me. Thanks AC.