Disclaimer: And Marcus has left NFR at least three years ago and then arrived to this brilliant realization (so did I). He is an excellent engineer and technological guru --
You... you're just an poorly informed anonymous coward (prol'y from 3COM or TPTI).
Having worked on the 10Gbps IPS, I can tell you that this is becoming a rapidly dumb idea (along with firewall). My experience in signature writing was telling me that this is becoming an exercise in futility.
If you can ascertain that your network-based application are secured (via code-review), none of these ancillary cash-burning network security add-on infrastructures would matter. A fool is soon parted with his money.
Spending some time reviewing the application code may be more cost effective.
Web Server? Go tinyHTTP. Fewer codes, less (or no) exploits.
I can't agree with you more, but at the time a decision was made to sweep in a guru Sendmail consultant but only after a carefully detailed RFP has been sent to him.
I knew I could handle sendmail.conf, but given the time and money, it was cheaper to contract that one out.
Google/Yahoo wasn't in full force at the time the primary MTA decision was made, so it was extremely difficult to compare MTAs without actually deploying selected candidates (no time).
Gee whiz... I'm surprised that the groupware is getting tossed out. If as small as 20% of the user is accustom to Outlook Calendaring, they'll represent 95% of the complaints in a new system. An advance warning to all existing account should be mailed out (both paper and email) so that nothing falls through the cracks.
Now to the mega-infrastructure that I set up for an undisclosed company for under 50K (and also didn't want groupware).
1. Transport Sender (sendmail). That's right! Good ol' plain sendmail scales. It does require some pretty savvy tweaking so get Sendmail.Com consultant onboard just for this. Use SleepyCat DB for speed for all sendmail setups. For one million, I had about 23,000 transaction per minutes during the day. You'll require 10 servers for this for cushion (against some idiots sending an ISO attachment).
2. Payload receiver (sendmail). A second group of machine to handle the reception of SMTP payloads.
3. IMAP4S/POP3S - Hey what's with the "S"? Nothing like sending your user's password in the clear. Unless you enforce VLAN in your corporate environment and limit all IMAP4/POP3 to VLAN, the "S" is a mandatory security feature, inside and outside. Guess what "S" stands for?
4. Webmail - SquirrelMail - Yet another dedicated server (in which I had to add two more load-balanced server to handling the growing pain). Use https for login only.
5. AntiVirus (ClamAV) - It was the best back then, now its just running in the middle of the pack. sendmail has milter that allows extensibility such as MIMEDeFang, wilter, rureal (reverse-DNS check), spamassasin, and SPF.
6. Support - Half the effort is put into those webpages that would 'hand-hold' these newbies into reconfiguring their machine. Worth the effort if you have over 20 expert PC users that can do their boxens. Otherwise do it yourself at each PCs. These pages should cover Thunderbird, Evolution, as well as Outlook and Outlook Express.
7. Learn to spin 11 plates, one on each pole. Keep them spinning... If they start to drop and break, bring in some more Unix dudes.
I've been a long time an advocate of NOT using biometric (confirmed by many slashdot posters in this topic) until recently...
The three categories are listed again as something you: HAVE, REMEMBER, and ARE.
Perhaps, we're a bit hasty in throwing out the biometric equation as being harshly non-revokable (no amount of hashing marketspeak can shake that solid notion).
What if "ARE" is being used as a first-line of defense, albiet a very weak defense. It would make the whole authentication/authorization more casual and quicker for general consumer market.
Such a step may entail:
1. Pull out smartcard
2. Press thumb over scanpad
3. Enter in PIN, releases unique RSA for this 1 transaction
4. Scan smartcard over point of sales
This would solve nearly all of the ease-of-use issue, in fact, I seem to recall this kind of program is being rolled out in certain parts of Europe.
Now, next step is to RSA'sified our SSN. Particularly a unique one for each financial institution. And later, for each transaction.
Would this cutup be a bane to our credit history? Not really, the government would have to categorizes these transactions and then broker the information selectively to our (ahem) favorite credit bureau.
Many corporations, particularly umbrellas-type, that share finacial information would HATE this. But it goes a VERY long way to protecting our individualism without resorting to VERY expensive law-enforcement with minimal re-infrastructure.
Land is essentially worthless until it is militarized. Ocean is essentially worthless until it is militarized. Orbital space is essentially worthless until it is militarized. Antartica is essentially worthless until it is militarized. Moon is essentially worthless until it is militarized. Mars is essentially worthless until it is militarized.
Did I miss the mark here or is this seemingly endless progress of mankind?
1. Watch the yipping competition nipping at your heels 2. Get annoyed 3. Watch the market share slides (IE) 4. Announce how bad the competition is (Get the Facts) 5. Embrace the competition (Kerberos/Active Directory) 6. Engulf the competition (OpenGL with DirectX) 7. Profit?
So many ways to a profitable monopoly.... Still surprised?
TPM is not about openness or restrictive use of H/W. Only about authorization of OS to enable certain SW components.
TPM only enables resident OS to enforces whether it should run or not (all or parts of it; most likely parts of it).
Having Linux and TPM, together, is only useful if you are making commercial distros (albeit a very restrictive one).
So, try not to get your panty in a bunch -- Intel-based H/W manufacturer ain't going to make machines if it ONLY runs on a specific operating system. Low profit margin in an already thin-operating margin/market. OS provider MUST shell out $$$ to deploy this TPM-based HW.
The only danger I see down the road, is pulling a lefthook (after widespread TPM deployment) is hooking the Hard Drive to TPM. Its profound ramification, I leave to your imagination.
A> It is the proxy TOR that is sprouting attack packets. Not the TOR network itself. TOR is a carrier, AND a emitter of attack launch platform. You talk only of a stopping the carrier network which is usually beyond your reach.
B> Quake will works through TOR using port redirector and a IP tunnel that works perfectly fine across UDP/TCP boundary. (although why would ANY serious gamer want to do this)
Unless this "coder" resides in the same juris-dick-tion as you do, he ain't going to be reined in to observing your conditions upon completion and delivery.
Stick to the locals, at least you have more business rights that way.
Slashdot Mirror
How on earth did you guess that I actually perused all these codes? (snicker).
Anyway, no joke on my part.
IDS is dead... IPS will be dead.
Mark my word.
Disclaimer: And Marcus has left NFR at least three years ago and then arrived to this brilliant realization (so did I). He is an excellent engineer and technological guru --
You... you're just an poorly informed anonymous coward (prol'y from 3COM or TPTI).
I know this is not the first post within this topic, but I've mentioned Marcus's finer points in an earlier topic...
5 22744
http://slashdot.org/comments.pl?sid=161733&cid=13
link here
After two excellent story submission rejections, I can't take it anymore.
Marcus Ranum said it best: Six dumbest Ideas in Computing Security.
Having worked on the 10Gbps IPS, I can tell you that this is becoming a rapidly dumb idea (along with firewall). My experience in signature writing was telling me that this is becoming an exercise in futility.
If you can ascertain that your network-based application are secured (via code-review), none of these ancillary cash-burning network security add-on infrastructures would matter. A fool is soon parted with his money.
Spending some time reviewing the application code may be more cost effective.
Web Server? Go tinyHTTP. Fewer codes, less (or no) exploits.
Simplify, simplify, simplify (K.I.S.S.)
Sheesh.
I can't agree with you more, but at the time a decision was made to sweep in a guru Sendmail consultant but only after a carefully detailed RFP has been sent to him.
I knew I could handle sendmail.conf, but given the time and money, it was cheaper to contract that one out.
Google/Yahoo wasn't in full force at the time the primary MTA decision was made, so it was extremely difficult to compare MTAs without actually deploying selected candidates (no time).
Gee whiz... I'm surprised that the groupware is getting tossed out. If as small as 20% of the user is accustom to Outlook Calendaring, they'll represent 95% of the complaints in a new system. An advance warning to all existing account should be mailed out (both paper and email) so that nothing falls through the cracks.
Now to the mega-infrastructure that I set up for an undisclosed company for under 50K (and also didn't want groupware).
1. Transport Sender (sendmail). That's right! Good ol' plain sendmail scales. It does require some pretty savvy tweaking so get Sendmail.Com consultant onboard just for this. Use SleepyCat DB for speed for all sendmail setups. For one million, I had about 23,000 transaction per minutes during the day. You'll require 10 servers for this for cushion (against some idiots sending an ISO attachment).
2. Payload receiver (sendmail). A second group of machine to handle the reception of SMTP payloads.
3. IMAP4S/POP3S - Hey what's with the "S"? Nothing like sending your user's password in the clear. Unless you enforce VLAN in your corporate environment and limit all IMAP4/POP3 to VLAN, the "S" is a mandatory security feature, inside and outside. Guess what "S" stands for?
4. Webmail - SquirrelMail - Yet another dedicated server (in which I had to add two more load-balanced server to handling the growing pain). Use https for login only.
5. AntiVirus (ClamAV) - It was the best back then, now its just running in the middle of the pack. sendmail has milter that allows extensibility such as MIMEDeFang, wilter, rureal (reverse-DNS check), spamassasin, and SPF.
6. Support - Half the effort is put into those webpages that would 'hand-hold' these newbies into reconfiguring their machine. Worth the effort if you have over 20 expert PC users that can do their boxens. Otherwise do it yourself at each PCs. These pages should cover Thunderbird, Evolution, as well as Outlook and Outlook Express.
7. Learn to spin 11 plates, one on each pole. Keep them spinning... If they start to drop and break, bring in some more Unix dudes.
And yet for another Slashdot'n against the (cough, ahem) dual-axis "evil" empires, Chinese leader visits Microsoft campus.
Obligatory link
For the first 30 seconds of a 30x30 image, it'll be a guessing game until the title is hit upon.
Its gonna get a magnitude longer for any 300x300 image.
This is based on the ability to distinguish a FAX image under heavy noise condition without error correction.
Add color and it may get worst at first, then better later than grayscale image.
I proposed a new rule: no guessing allowed to make things more interesting.
I've been a long time an advocate of NOT using biometric (confirmed by many slashdot posters in this topic) until recently...
The three categories are listed again as something you: HAVE, REMEMBER, and ARE.
Perhaps, we're a bit hasty in throwing out the biometric equation as being harshly non-revokable (no amount of hashing marketspeak can shake that solid notion).
What if "ARE" is being used as a first-line of defense, albiet a very weak defense. It would make the whole authentication/authorization more casual and quicker for general consumer market.
Such a step may entail:
1. Pull out smartcard
2. Press thumb over scanpad
3. Enter in PIN, releases unique RSA for this 1 transaction
4. Scan smartcard over point of sales
This would solve nearly all of the ease-of-use issue, in fact, I seem to recall this kind of program is being rolled out in certain parts of Europe.
Now, next step is to RSA'sified our SSN. Particularly a unique one for each financial institution. And later, for each transaction.
Would this cutup be a bane to our credit history? Not really, the government would have to categorizes these transactions and then broker the information selectively to our (ahem) favorite credit bureau.
Many corporations, particularly umbrellas-type, that share finacial information would HATE this. But it goes a VERY long way to protecting our individualism without resorting to VERY expensive law-enforcement with minimal re-infrastructure.
North Koreans hacking into Chinese infrastructure (mostly without them knowning) and then using it as a steppingstone to further malicious activities.
Easy as pie?
Land is essentially worthless until it is militarized.
Ocean is essentially worthless until it is militarized.
Orbital space is essentially worthless until it is militarized.
Antartica is essentially worthless until it is militarized.
Moon is essentially worthless until it is militarized.
Mars is essentially worthless until it is militarized.
Did I miss the mark here or is this seemingly endless progress of mankind?
Not to mention the CxO not being able to read between the lines in "Get the Facts" campaign.
Indeed, smack with the ole cluestick.
I mean... I swapped the tube... I still have it... (sheesh)
Dang, Freudian slips.
How come this one is not fuzzed out?
a rkway,+Mountain+View,+CA&spn=0.016998,0.035306&t=h &hl=en
http://maps.google.com/maps?q=1600+Amphitheatre+P
Until we get some beneficial soil-based baterias introduced, no root-based plants can take life on Mars unless potted.
Maybe, those 1000-year old pine tree (Joshua) may cut it in such a hostile environment (takes a little potted soil to get it started altho).
Mosses, popping misteltoes, and fungus have the best anchor in such a hostile environment.
1. Watch the yipping competition nipping at your heels
2. Get annoyed
3. Watch the market share slides (IE)
4. Announce how bad the competition is (Get the Facts)
5. Embrace the competition (Kerberos/Active Directory)
6. Engulf the competition (OpenGL with DirectX)
7. Profit?
So many ways to a profitable monopoly.... Still surprised?
Sorry, fella. But seriously, there is prior art to this one.
Read on...
In March 11, 1986, a college dormitory had a power outage in the middle of the nite. Imagine a hallway without windows, just dorm doors.
Anyway, there is a lone light fixture that illuminated the middle of the hall. Naturally, like moth, students began to congregate around the lite.
It remained bright enough for some of the students to hold conversation in sign language.
It stay alit for four hours before the power was restored. More than 10% of brightness remains.
So, I swiped the tube... I still have it...
Oops.
I meant to say "OS Provider MUST shell out $$$ to deploy a HW that authenticates OS."
TPM-based motherboard is just an add-on and mostly a no-op for today's OSes.
Relax.
TPM is not about openness or restrictive use of H/W. Only about authorization of OS to enable certain SW components.
TPM only enables resident OS to enforces whether it should run or not (all or parts of it; most likely parts of it).
Having Linux and TPM, together, is only useful if you are making commercial distros (albeit a very restrictive one).
So, try not to get your panty in a bunch -- Intel-based H/W manufacturer ain't going to make machines if it ONLY runs on a specific operating system. Low profit margin in an already thin-operating margin/market. OS provider MUST shell out $$$ to deploy this TPM-based HW.
The only danger I see down the road, is pulling a lefthook (after widespread TPM deployment) is hooking the Hard Drive to TPM. Its profound ramification, I leave to your imagination.
But sir, this is my TV antenna that I use with my WinTV PCMCIA adapter card.
No wonder why I got bad reception, its in the WRONG antenna jack!
Wrong side of the equation. WTFA.
A> It is the proxy TOR that is sprouting attack packets. Not the TOR network itself. TOR is a carrier, AND a emitter of attack launch platform. You talk only of a stopping the carrier network which is usually beyond your reach.
B> Quake will works through TOR using port redirector and a IP tunnel that works perfectly fine across UDP/TCP boundary. (although why would ANY serious gamer want to do this)
Sounds like a plug....
Unless this "coder" resides in the same juris-dick-tion as you do, he ain't going to be reined in to observing your conditions upon completion and delivery.
Stick to the locals, at least you have more business rights that way.
Is there such a thing as a virtual agent that goes beserk? Like a cancer?
Will "it" take over the world, er, um, simulator?
Will we gain insight as to how this twisted ant maps to our reality?