Re:Pharmaceutical Industry?
on
Cyberchondria
·
· Score: 5, Funny
Are you afraid of bad things happening? Do you worry occasionally? Do you dislike uncomfortable social situations, or occasionally feel out of place? Do you sometimes think you may have said the wrong thing, or wish you were better at something? These are all symptoms of severe depression, an illness that effects nobody except you. It isn't normal to feel this way, and you probably are very ill.
Depression is caused by neurochemical imbalances that result in you being a social outcast and a freak. But don't worry! Help is here! New Placeboflexin is designed to treat these symptoms, so you can resume your regular life. Ask your doctor if Placeboflexin is right for you.
In clinical trials, subjects reported headache, dry mouth, and nausea in about the same proportions as those taking placebos. Placeboflexin might not be right for you. Ask your doctor.
I'm curious to see where you get your statistics from.
Yeah, Linux adoption among geeks is big. But the biggest adoption, or at least most serious, would be that 24% of the server market (if I remember that number right). Think about the thousands of nodes at Google running Linux. The hundreds of financial institutions implementing it in their IT infrastructure. The universities and small business and hosting companies.
Similarly, the significant desktop installations are the thousands of corporate PCs that are switching. IBM's 300,000 some-odd employees, all using Linux. The Chinese and Israeli governments. Airline booking terminals, warehouse inventory stations, and so forth. Home users--and I'm one of them--are not where the big money is likely to be for a good bit (beating Microsoft when battling for the desktop of middle-aged lay-person desktops is a tough gig).
Also: plenty of RPM based distros are free for download (Fedora, Mandrake, YellowDog, to name a few). Many now come standard with apt, redcarpet, etc. I don't like RPMs, but you are a bit misleading when you say people refuse to pay for RPM hell. And FreeBSD is not Linux. Only OSes which use the Linux kernel are Linux.
NASA presumably has far more custom software than just what runs on Hubble, etc. What's in use on the Shuttle might be 8086's, but what's in use on the ground for image processing, navigation control, simulation, and so forth is most likely a lot more state-of-the-art.
NASA does a lot of stuff, and much of it is indeed cutting-edge. Don't discount this so quickly.
It may make sense for Final Cut Pro (a product where trying to gain Windows marketshare doesn't make much sense, since the competition is reasonably stiff). It would make little sense to do this with Maya. The number of Windows and Linux users is already very high, and the Windows and Linux versions are already in production. It'd make little sense to simply cut off this marketshare, and I doubt Apple would turn their backs on the profits available, even to drive sales of Macs.
You didn't come across as rude. I just wanted to make sure I hadn't.;)
I think we've both converged to the center enough that I don't have any argument left. I agree with your post. My point was merely that people who argue that computer science degrees didn't help them in the real world didn't understand what they signed up to study.
It's been good talking to you. This is the part of Slashdot that's at least somewhat wortwhile.
See, I'm not trying to be rude, but I do think I understand what you are saying. Problem is, there's something I'm trying to tell you that you don't get.
I have no doubt that the business world teaches things that university doesn't. I said as much; in my (admittedly more limited) work experience, I've learned a lot of stuff I didn't learn (and never will learn, most likely) in classes. But they aren't the same things. What I learned at work was applied. It was organization, management, planning, and basic work skills. Of course, I also learned technologies like PHP, Perl, pretty much all the systems administration I know (Linux and BSD, Apache, Postfix, MySQL, among others), a lot of networking hacks and so forth, that would never be taught in a theory-oriented computer science class.
One thing I didn't learn on the job, though, was how RSA works. Or how to compute the difficulty of a sorting problem or choose the best data structure or search algorithm for a particular function. How buffer overflows work, or how to code so that I maximize locality to improve caching. And a lot of far more theory-oriented stuff, like proofs of correctness, statistical sampling, and so forth.
You clearly know a lot about business. I don't doubt that. And I'm sure I could learn a lot from you. My point is simply that yes, I have a few things to learn that I can't learn at school. I admitted that. But while you've learned coding, sytems administration, and business management, I've been studying computer science. Saying that my degree in computer science leaves me without knowledge of those things is like saying a degree in chemistry leaves you without valuable accounting skills. Well, duh. I'm not studying business; I'm studying computer science. And as I said, contrary to popular belief, computer science isn't coding, or programming, or systems administration. I'm sure you do all those things well, but before you speak about what I don't know, take a few courses in computer science. You'll find that it's not at all what you most likely expect (here, at least; like I said, many schools teach it differently, and some places all it is is coding).
Look, if you give me a business to run, I'm up the creek. I wouldn't know what to do. But if I give you, I don't know, a randomized quicksort algorithm to show the running-time of, or something involving the Polya Urn Scheme, or the expectation value of the Birthday Problem, or ask you to prove the security of a public-key encryption system, can you answer those off the bat? If so, I take back everything I said. Mostly.
You may disagree on every point, but I think you pretty much make my case for me. You say that you knew more about ``computers, programming, getting systems to work, and generally getting around the business than most of the lecturers...CS does not teach you what you need to know about what you will need in business [sic]''.
This I agree with entierly. Now, this depends a lot on where you go, for sure (for example, where I am a student, we have many group projects, precisely to teach more applicable programming skills), but many computer science programs (and indeed, what makes it computer science instead of IT or coding) teach theory. They leave it to you to learn the (relatively easy) application. For example, I've learned languages that I will never use in work. Ever. But I can learn a new language of most sorts in a few hours.
There are many facets to computer science, and it seems you've only seen a few. For example, I have a professor who does very well-funded secure systems work for the DOD (he's been mentioned on Slashdot in the past). If that isn't practical application, I don't know what is. At the same time, I have another who's primary interest is quantum computing theory, something not likely to be remotely practical for many years or decades (I believe the highest number factored so far was 15).
You remind me a lot of a business student who was taking a computer science class I was in. He made a jerkoff statement about how business computing classes (in which he was learning Microsoft.NET) didn't bother to teach how hash tables actually work, but just how to use the implementation. He argued that learning how they work is a waste of time, since in the real world, you'll only have to implement the.NET libraries, not actually code a hash table from scratch.
His failure of thinking is pretty obvious. Anyone can learn to use the.NET libraries in a few hours (even him). But in a few years, when.NET is out and something else is in, he's gotta learn that all over again. And anyway, all that aside, somebody's gotta actually write the libraries, even the ones at Microsoft.
You sound like you do a lot of applied computer science--systems engineering, administration, perhaps coding--but this isn't what computer science is all about. If your eyes glaze over at the thought of algorithm design or proofs of correctness, you might still be a perfectly decent coder, but computer science probably isn't for you. Don't get me wrong, either. I'm a student, but I also work as a systems programmer. And a lot of the skills I knew from classes really weren't applicable. I could code, but I needed a lot of work on my organizational and project-management skills. And to be honest, pretty much everything I know about systems administration, Linux, BSD, and networking I learned on my own. What I learned in school, you are right, was not specifically what I needed to do my job. It was more.
And I think you are backwards about Universities trying to make sure they handed out ``so many'' degrees. If they hand out to many, they become devalued. It's all about keeping themselves exclusive that makes anyone willing to pay tuition.
Perhaps a degree isn't the best way to spend your money. I'll give you that.
Past that, though, I'd be very interested to see your arguments that a degree doesn't teach you anything. Sure, you could go learn it from books, on your own, perhaps. If you were a genius. But without someone to guide you, to show you what to learn (because you just don't know what you don't know), you've got a far more difficult task ahead of you to learn the same things. And only a very small number of people I've met can learn everything they need completely on their own (coding, systems administration, and so forth are pretty easy--but they aren't what I'm talking about).
University degrees vary, admittedly. Some really are just how to code. And those don't get you anything you couldn't learn on your own. But some teach you computer science (which has about as much to do with coding as civil engineering has to do with construction work). Calculus is useless, perhaps, but math is not. Algorithm design allows you to learn about what problems can and cannot be solved. Why encryption works and which technologies can be broken. How to design programs and algorithms which will always give you the right answer. How to implement a system which you can prove to be correct, and which you can prove will always execute in a certain amount of time. How a compiler works, and how we know it can deal with any legal input (and detect any illegal input).
Any joker can learn to whip shit up in PHP. Anybody, given a little time, can learn to do application programming. Not to deride those, either; they're fun and valuable. But if you haven't learned these things (and from the sound of your post, I'd guess you didn't), you don't know how valuable they are. Or perhaps you learned things you didn't need for your job. Fair enough. But there's more to being satisfied than raking in the big bucks. And academics, as much as you may not appreciate them, are in fact valuable.
A lot of universities have serious flaws in their programs. But that doesn't mean they are worthless. Like I said, learning on your own is great. But you don't know what you don't know.
I've been wondering about this. With freely provided software, the consideration is presumably the right to use the software in exchange for forfieture of certain other rights (i.e., not reverse engineering, not reselling, etc...). But now, if I am to download some software from, say, download.com, and reverse engineer it without ever installing it (and thus without clicking the ``I agree'' button), I was never presented with the contract and never agreed to it, so...
Seems like a silly loophole, but it sounds technically sound to me. Downloading software, unlike shrink-wrap licenses, can be done without ever seeing a contract agreement.
But the point is that Michael Tiemann did bring it up first. The writer clearly doesn't understand the import of what Tiemann said, but it's still an accurate quote tying the two together (presumably).
And, yeah, the implication was that Eclipse does create SELinux policy files, I think. I've never used SELinux, though, so I don't really know.
I think the point about Eclipse was supposed to be that an easy-to-use development platform ``take[s] the development of security off the shoulders of individual corporations and put it in the hands of the community at large.''
Presumably Tiemann made this comment (a perfectly valid one, giving kudos to the Open Source community) at EclipseCon just to tie it in with SELinux, and the writer didn't really know how (in)significant this comment was.
Hope I'm not being a jerk by continuing this thread long after it should have died, but it's this sort of conversation that I find remotely redeeming about Slashdot.;)
Anyway, I think you are right in saying that the main advantage is obscurity--the added keyspace, when I think about it, could just as easily be gained from a longer SSH key or using public-key authentication--but nonetheless, if stealth is a requirement (hiding the machine's or services' existence), this is a very good way to do so. If the machine is unknown, it is likely that no attackers will ever even attempt to get in (granted, sniffing would expose it's existence, but it's not as if knowing it's there makes it any weaker, either). In other words, what you see as only security-through-obscurity is actually a very valuable asset, in certain circumstances (e.g., setting up a logging host that is invisible to all but those who know the knock sequence--though there are other good ways of doing this, admittedly).
I think the other major point you do make, quite correctly, is that the introduction of weaknesses is relatively unknown. And I agree; I probably wouldn't volunteer to be the first to set up this system. But, at the same time, the system is theoretically sound, and I see this argument as no better than saying, ``well, we don't know the quality of code written by the authors of this new-fangled SSH thing yet, so we don't want to use the first release.'' It's a valid point, but it's no reason not to continue development.
So essentially, the only benefit we get from this is the ability to actually hide what other services are listening (as you say, mere obscurity; it's concievable that those better-known servers like OpenSSH are also a lot more secure than something new and untested like this). The added-keyspace argument's major weakness is that, while it does add value, it adds no more than simply having a longer SSH password or using public-key authentication instead.
So, yeah. For me, since I have a public webserver anyway, I wouldn't be able to hide the existence of the machine, even using this. So I'd get little benefit from this. So I'd never bother. I suppose, when I think of it this way, it's only really useful at all if stealth--hiding the machine's or service's existence completely--is an important goal. If cryptographic difficulty is required, simply use public-key authentication.
But still...it's not a bad idea. Just kinda obscure and not that useful.;)
First, as the other replyer noted, any form of security employed today, other than biometrics, relies on the user knowing something that someone else doesn't. That is the entire theory behind password authentication. ``Security through obscurity'' only has a bad connotation because it implies a lack of any further security (e.g. closing the source and hoping nobody notices the lack of bounds-checking). It's not necessarily a bad thing, however, as in this case.
Two, you haven't explained why it's a bad thing that the firewall's behavior is changed. Potential DoS? Not any more so than with any other firewall rule (save for the spoofing issue, which is an issue with paranoid bad-password-lockout schemes anyway).
Three, you claim that anyone with a sniffer (who must be on the local non-switched network) will be looking for probes to non-responsive ports. You know how many SYN packets fly across the 'Net and get no response (or get a RST)? Way, way too many to filter out the meaningful ones. Even if someone knows what he's looking for, it won't do him a world of good.
It's certainly not foolproof. But it's an added layer. Your argument about a false sense of security implies that the layer approach to security is bad, because any weak layer motivates the admin to ignore implementing a stronger layer. I would say that anyone skilled enough to implement this (and I'll admit I'd have to read the iptables docs a bit to get this one working right) probably knows enough to know it's limitations. It's not as weak as telnet. Even if someone knows the knock sequence, he's got no more than if I just had an open SSH server (like I do now).
It's patently obvious that this is imperfect security on its own, and that there is a potential DoS with spoofed failed attempts. But I would be very impressed and surprised if you could argue some actual weakness from this, or argue that it doesn't accomplish it's ends reliably. And I'm afraid you simply haven't convinced me yet.
No, it doesn't. Read the article. It would be running an added firewall rule that responds differently to connections that were previously attempted on the set ports earlier. There's still no daemon listening. Yes, a slightly higher load from a slightly more complex firewall rule. But not much.
It still responds in the RFC-approved way. You can still set the target on those ports to REJECT (if using iptables) or DROP (though that's not the RFC-approved way). So you still send back a RST, and the client knows no differently than that the port is closed.
And your added keyspace is quite significant in this case, since it's not just a mathematical gain, but, in the real world, means you can set your targets all to DROP and hide the existence of your machine completely, making it likely that kiddies will simply leave you alone (obviously this makes no sense if you are running some other public server).
This isn't a daemon that listens on multiple ports. It's simply an option you would enable in your firewall (easily done with IPTABLES, for example) to only allow connections that have previously attempted to connect to a certain number of blocked ports in a certain order. The response from the blocked ``key ports'' is still not an ACK, it's a RST (or no response at all, if you prefer the DROP target, which perhaps makes some sense in this case). So theres nothing actually listening on those ports, and no response given indicating that anything is.
It wastes a minimal number of resources with the more complex firewall rules, you are right. But not much.
And you've sort of taken that thing about listening on as few portsa as possible out of context. If I have SSH listening on two ports instead of one, it's really no less secure (except to SYN attacks, perhaps, which are easily defended against anyway).
Presumably the parent referred to blocking off that particular IP address. You could certainly spoof it, but this is really no different than current systems that block a session after a certain number of false password entries for a limited amount of time (long enough to make brute-forcing hopeless). It's marginally different, in that if someone spoofs the address of a legit client, he can have that client blacklisted for a short period of time, but this isn't a new idea (there's an Apache module, for example, that blocks hosts that appear to be mucking about or DoS'ing, leaving open a potential spoofing DoS; I run a little bottrap script on my website that blocks spambots, again leaving open the door to spoof attacks and a DoS).
Not saying it's not a problem, but for people paranoid enough to implement this, it's likely a worthwhile trade-off.
It's not really a monopoly. A coworker of mine (by coincidence, unless he's a Slashdot subscriber or something) mentioned how some kids, when he was in school, would rent out a UHAUL, buy a few hundred copies of the most popular text books, and sell them at cut rate a block up the street from the bookstore.
Not a bad idea.
Other than that, a lot of professors do care. It just depends on where you go. Personally, I just avoid buying books until I can tell if they're really necessary. Plenty of classes I can slip by without needing to actually do any reading anyway.
It seems OK for me on Firebird 0.7. It displays ``www.microsoft.com[...]@secunia.com/'' (with weird characters in the braces). Perhaps some users wouldn't notice the ``@secunia.com'' part, but it is displaying the address completely correctly. And seriously, I don't think I'd want to be alerted with a popup every time I visit that kinda page the way Opera reportedly does. If I'm submitting something like credit card data, I check the URL and the cert anyway.
I'm only familiar with the books. But they're really good. Start with the first one (aptly titled The Hitchhiker's Guide to The Galaxy). Then read the second, third, fourth, and fifth books in the ``increasingly innacurately named Hitchhiker's Trilogy''. Assuming you enjoy the first one. Which you will.
The reason the books are popular is because they are outlandish and enjoyable satire. Very comedic, very fun, very radical. A good read.
Somehow, things that were anti-establishment, outlandish, and unique seem to lose that anti-establishment fun when they're reproduced by a major motion picture studio.
It always seems like they spend less time poking fun at things like how major motion picture studios do product placement and regurgitate the same old shit and spend more time doing product placement and regurgitating the same old shit.
But I don't know. Maybe I'm just being cynical. After all, it's Disney! The people who brought us Brother Bear and, uh...yeah, Brother Bear!
Re:FreeBSD not designed as a desktop
on
FreeBSD 5.2 Review
·
· Score: 4, Insightful
It's surprising how much of that technology is transferrable. Of course, it used to be that an OS that was good as a server had things like multi-user support (and security), multitaskng, and networking, things you'd never dream of asking a PC to do.
But now, I can't think of that many differences. Multi-user systems have the security necessary to keep networked systems free of viruses and spyware. Good multi-tasking is something you want on the desktop as well. PCs now do as much networking as servers. Stability and security? Yes, please.
Similarly, many sysadmins prefer more automatic configuration, graphical interfaces, and the like (I personally wouldn't choose Windows on a server for its graphical configuration, but apparently many do).
The primary difference, really, is just hardware support and perhaps prioritising software upgrades versus stability. Debian, for example, has slow updates but rock-hard stability. Gentoo (my desktop of choice) has a few reliability issues (in my experience, but you can take issue with this if you'd like) but is great for up-to-date software. Similarly, FreeBSD doesn't support my nforce2 motherboard (a shame; I'd kinda prefer it to Linux) but supports SCSI, various WAN technologies, and similar.
But in terms of the basic code-base, I don't know why we should assume there's a big difference between what's good on a desktop and what's good on a server. Because stability, security, speed, usability--these are all traits we want in both.
How would that help? So long as you hijack a session that's still active, you'd be fine. This relies on the victim not responding with RSTs to connections it never created, but this is probably what a Windows machine with ZoneAlarm would do (whoop-de-do, my machine is now ``stealthed'':P).
Not necessarily all that easy, but theoretically possible. The only solution I see is encrypting the whole thing with something like VPN.
Even if they came up with it first, the fact that large numbers apparently came up with it completely independently soon after should be good evidence that it's not particularly ``non-obvious.'' Though I can't even say where I personally got the idea myself (surely it wasn't truly my own), let alone where anyone else did, so perhaps all those ideas did indeed stemp from Nomadix. But I doubt it.
On the other hand, there are plenty of good arguments for why patents are beneficial and even necessary for certain industries and innovations (think pharmaceuticals, an industry which is certainly screwed up to the point of allowing millions to die of AIDS in Africa, but where the argument that innovation would not happen without patents is probably nonetheless correct).
That said, I still think that a) some places signs aren't obvious or can't be placed everywhere (do you really want to plaster a library with signs about wifi? what about parks and open locations?) and b) it's just easier to do it in such a way that all someone has to do is connect to the network to find out how to use it.
Not saying it's a big deal, but the redirection thing is pretty nice. Also, it has the benefit of only harassing people who aren't yet authenticated (so that if you're MAC is authenticated, you don't need to go to the page to find out if you can connect or if difficulties are your fault or the network's, you can just try and connect and see the page if necessary). All in all, it's a neater solution.
More to the point, it's one used by at least two commercial hardware vendors (bluesocket and reefedge, as I mentioned in a previous post) and by a number of private network admins and projects (the NoCat Auth project uses this method, as do I in something I wrote for work). I can't remember where I first got the idea, but it's certainly one that's somewhere out there in the ether, floating about, free for the taking. I find it hard to believe that this company truly invented it first, or that it's particularly non-obvious even if they did.
Slashdot Mirror
Depression is caused by neurochemical imbalances that result in you being a social outcast and a freak. But don't worry! Help is here! New Placeboflexin is designed to treat these symptoms, so you can resume your regular life. Ask your doctor if Placeboflexin is right for you.
In clinical trials, subjects reported headache, dry mouth, and nausea in about the same proportions as those taking placebos. Placeboflexin might not be right for you. Ask your doctor.
Yeah, Linux adoption among geeks is big. But the biggest adoption, or at least most serious, would be that 24% of the server market (if I remember that number right). Think about the thousands of nodes at Google running Linux. The hundreds of financial institutions implementing it in their IT infrastructure. The universities and small business and hosting companies.
Similarly, the significant desktop installations are the thousands of corporate PCs that are switching. IBM's 300,000 some-odd employees, all using Linux. The Chinese and Israeli governments. Airline booking terminals, warehouse inventory stations, and so forth. Home users--and I'm one of them--are not where the big money is likely to be for a good bit (beating Microsoft when battling for the desktop of middle-aged lay-person desktops is a tough gig).
Also: plenty of RPM based distros are free for download (Fedora, Mandrake, YellowDog, to name a few). Many now come standard with apt, redcarpet, etc. I don't like RPMs, but you are a bit misleading when you say people refuse to pay for RPM hell. And FreeBSD is not Linux. Only OSes which use the Linux kernel are Linux.
NASA does a lot of stuff, and much of it is indeed cutting-edge. Don't discount this so quickly.
It may make sense for Final Cut Pro (a product where trying to gain Windows marketshare doesn't make much sense, since the competition is reasonably stiff). It would make little sense to do this with Maya. The number of Windows and Linux users is already very high, and the Windows and Linux versions are already in production. It'd make little sense to simply cut off this marketshare, and I doubt Apple would turn their backs on the profits available, even to drive sales of Macs.
I think we've both converged to the center enough that I don't have any argument left. I agree with your post. My point was merely that people who argue that computer science degrees didn't help them in the real world didn't understand what they signed up to study.
It's been good talking to you. This is the part of Slashdot that's at least somewhat wortwhile.
I have no doubt that the business world teaches things that university doesn't. I said as much; in my (admittedly more limited) work experience, I've learned a lot of stuff I didn't learn (and never will learn, most likely) in classes. But they aren't the same things. What I learned at work was applied. It was organization, management, planning, and basic work skills. Of course, I also learned technologies like PHP, Perl, pretty much all the systems administration I know (Linux and BSD, Apache, Postfix, MySQL, among others), a lot of networking hacks and so forth, that would never be taught in a theory-oriented computer science class.
One thing I didn't learn on the job, though, was how RSA works. Or how to compute the difficulty of a sorting problem or choose the best data structure or search algorithm for a particular function. How buffer overflows work, or how to code so that I maximize locality to improve caching. And a lot of far more theory-oriented stuff, like proofs of correctness, statistical sampling, and so forth.
You clearly know a lot about business. I don't doubt that. And I'm sure I could learn a lot from you. My point is simply that yes, I have a few things to learn that I can't learn at school. I admitted that. But while you've learned coding, sytems administration, and business management, I've been studying computer science. Saying that my degree in computer science leaves me without knowledge of those things is like saying a degree in chemistry leaves you without valuable accounting skills. Well, duh. I'm not studying business; I'm studying computer science. And as I said, contrary to popular belief, computer science isn't coding, or programming, or systems administration. I'm sure you do all those things well, but before you speak about what I don't know, take a few courses in computer science. You'll find that it's not at all what you most likely expect (here, at least; like I said, many schools teach it differently, and some places all it is is coding).
Look, if you give me a business to run, I'm up the creek. I wouldn't know what to do. But if I give you, I don't know, a randomized quicksort algorithm to show the running-time of, or something involving the Polya Urn Scheme, or the expectation value of the Birthday Problem, or ask you to prove the security of a public-key encryption system, can you answer those off the bat? If so, I take back everything I said. Mostly.
This I agree with entierly. Now, this depends a lot on where you go, for sure (for example, where I am a student, we have many group projects, precisely to teach more applicable programming skills), but many computer science programs (and indeed, what makes it computer science instead of IT or coding) teach theory. They leave it to you to learn the (relatively easy) application. For example, I've learned languages that I will never use in work. Ever. But I can learn a new language of most sorts in a few hours.
There are many facets to computer science, and it seems you've only seen a few. For example, I have a professor who does very well-funded secure systems work for the DOD (he's been mentioned on Slashdot in the past). If that isn't practical application, I don't know what is. At the same time, I have another who's primary interest is quantum computing theory, something not likely to be remotely practical for many years or decades (I believe the highest number factored so far was 15).
You remind me a lot of a business student who was taking a computer science class I was in. He made a jerkoff statement about how business computing classes (in which he was learning Microsoft .NET) didn't bother to teach how hash tables actually work, but just how to use the implementation. He argued that learning how they work is a waste of time, since in the real world, you'll only have to implement the .NET libraries, not actually code a hash table from scratch.
His failure of thinking is pretty obvious. Anyone can learn to use the .NET libraries in a few hours (even him). But in a few years, when .NET is out and something else is in, he's gotta learn that all over again. And anyway, all that aside, somebody's gotta actually write the libraries, even the ones at Microsoft.
You sound like you do a lot of applied computer science--systems engineering, administration, perhaps coding--but this isn't what computer science is all about. If your eyes glaze over at the thought of algorithm design or proofs of correctness, you might still be a perfectly decent coder, but computer science probably isn't for you. Don't get me wrong, either. I'm a student, but I also work as a systems programmer. And a lot of the skills I knew from classes really weren't applicable. I could code, but I needed a lot of work on my organizational and project-management skills. And to be honest, pretty much everything I know about systems administration, Linux, BSD, and networking I learned on my own. What I learned in school, you are right, was not specifically what I needed to do my job. It was more.
And I think you are backwards about Universities trying to make sure they handed out ``so many'' degrees. If they hand out to many, they become devalued. It's all about keeping themselves exclusive that makes anyone willing to pay tuition.
Past that, though, I'd be very interested to see your arguments that a degree doesn't teach you anything. Sure, you could go learn it from books, on your own, perhaps. If you were a genius. But without someone to guide you, to show you what to learn (because you just don't know what you don't know), you've got a far more difficult task ahead of you to learn the same things. And only a very small number of people I've met can learn everything they need completely on their own (coding, systems administration, and so forth are pretty easy--but they aren't what I'm talking about).
University degrees vary, admittedly. Some really are just how to code. And those don't get you anything you couldn't learn on your own. But some teach you computer science (which has about as much to do with coding as civil engineering has to do with construction work). Calculus is useless, perhaps, but math is not. Algorithm design allows you to learn about what problems can and cannot be solved. Why encryption works and which technologies can be broken. How to design programs and algorithms which will always give you the right answer. How to implement a system which you can prove to be correct, and which you can prove will always execute in a certain amount of time. How a compiler works, and how we know it can deal with any legal input (and detect any illegal input).
Any joker can learn to whip shit up in PHP. Anybody, given a little time, can learn to do application programming. Not to deride those, either; they're fun and valuable. But if you haven't learned these things (and from the sound of your post, I'd guess you didn't), you don't know how valuable they are. Or perhaps you learned things you didn't need for your job. Fair enough. But there's more to being satisfied than raking in the big bucks. And academics, as much as you may not appreciate them, are in fact valuable.
A lot of universities have serious flaws in their programs. But that doesn't mean they are worthless. Like I said, learning on your own is great. But you don't know what you don't know.
Seems like a silly loophole, but it sounds technically sound to me. Downloading software, unlike shrink-wrap licenses, can be done without ever seeing a contract agreement.
And, yeah, the implication was that Eclipse does create SELinux policy files, I think. I've never used SELinux, though, so I don't really know.
Presumably Tiemann made this comment (a perfectly valid one, giving kudos to the Open Source community) at EclipseCon just to tie it in with SELinux, and the writer didn't really know how (in)significant this comment was.
Anyway, I think you are right in saying that the main advantage is obscurity--the added keyspace, when I think about it, could just as easily be gained from a longer SSH key or using public-key authentication--but nonetheless, if stealth is a requirement (hiding the machine's or services' existence), this is a very good way to do so. If the machine is unknown, it is likely that no attackers will ever even attempt to get in (granted, sniffing would expose it's existence, but it's not as if knowing it's there makes it any weaker, either). In other words, what you see as only security-through-obscurity is actually a very valuable asset, in certain circumstances (e.g., setting up a logging host that is invisible to all but those who know the knock sequence--though there are other good ways of doing this, admittedly).
I think the other major point you do make, quite correctly, is that the introduction of weaknesses is relatively unknown. And I agree; I probably wouldn't volunteer to be the first to set up this system. But, at the same time, the system is theoretically sound, and I see this argument as no better than saying, ``well, we don't know the quality of code written by the authors of this new-fangled SSH thing yet, so we don't want to use the first release.'' It's a valid point, but it's no reason not to continue development.
So essentially, the only benefit we get from this is the ability to actually hide what other services are listening (as you say, mere obscurity; it's concievable that those better-known servers like OpenSSH are also a lot more secure than something new and untested like this). The added-keyspace argument's major weakness is that, while it does add value, it adds no more than simply having a longer SSH password or using public-key authentication instead.
So, yeah. For me, since I have a public webserver anyway, I wouldn't be able to hide the existence of the machine, even using this. So I'd get little benefit from this. So I'd never bother. I suppose, when I think of it this way, it's only really useful at all if stealth--hiding the machine's or service's existence completely--is an important goal. If cryptographic difficulty is required, simply use public-key authentication.
But still...it's not a bad idea. Just kinda obscure and not that useful. ;)
Two, you haven't explained why it's a bad thing that the firewall's behavior is changed. Potential DoS? Not any more so than with any other firewall rule (save for the spoofing issue, which is an issue with paranoid bad-password-lockout schemes anyway).
Three, you claim that anyone with a sniffer (who must be on the local non-switched network) will be looking for probes to non-responsive ports. You know how many SYN packets fly across the 'Net and get no response (or get a RST)? Way, way too many to filter out the meaningful ones. Even if someone knows what he's looking for, it won't do him a world of good.
It's certainly not foolproof. But it's an added layer. Your argument about a false sense of security implies that the layer approach to security is bad, because any weak layer motivates the admin to ignore implementing a stronger layer. I would say that anyone skilled enough to implement this (and I'll admit I'd have to read the iptables docs a bit to get this one working right) probably knows enough to know it's limitations. It's not as weak as telnet. Even if someone knows the knock sequence, he's got no more than if I just had an open SSH server (like I do now).
It's patently obvious that this is imperfect security on its own, and that there is a potential DoS with spoofed failed attempts. But I would be very impressed and surprised if you could argue some actual weakness from this, or argue that it doesn't accomplish it's ends reliably. And I'm afraid you simply haven't convinced me yet.
It still responds in the RFC-approved way. You can still set the target on those ports to REJECT (if using iptables) or DROP (though that's not the RFC-approved way). So you still send back a RST, and the client knows no differently than that the port is closed.
And your added keyspace is quite significant in this case, since it's not just a mathematical gain, but, in the real world, means you can set your targets all to DROP and hide the existence of your machine completely, making it likely that kiddies will simply leave you alone (obviously this makes no sense if you are running some other public server).
This isn't a daemon that listens on multiple ports. It's simply an option you would enable in your firewall (easily done with IPTABLES, for example) to only allow connections that have previously attempted to connect to a certain number of blocked ports in a certain order. The response from the blocked ``key ports'' is still not an ACK, it's a RST (or no response at all, if you prefer the DROP target, which perhaps makes some sense in this case). So theres nothing actually listening on those ports, and no response given indicating that anything is.
It wastes a minimal number of resources with the more complex firewall rules, you are right. But not much.
And you've sort of taken that thing about listening on as few portsa as possible out of context. If I have SSH listening on two ports instead of one, it's really no less secure (except to SYN attacks, perhaps, which are easily defended against anyway).
Not saying it's not a problem, but for people paranoid enough to implement this, it's likely a worthwhile trade-off.
Or check out Plex86. It's by the maker of Bochs, but designed to be more like VMWare. Caveat: it only runs Linux at the moment.
Not a bad idea.
Other than that, a lot of professors do care. It just depends on where you go. Personally, I just avoid buying books until I can tell if they're really necessary. Plenty of classes I can slip by without needing to actually do any reading anyway.
It seems OK for me on Firebird 0.7. It displays ``www.microsoft.com[...]@secunia.com/'' (with weird characters in the braces). Perhaps some users wouldn't notice the ``@secunia.com'' part, but it is displaying the address completely correctly. And seriously, I don't think I'd want to be alerted with a popup every time I visit that kinda page the way Opera reportedly does. If I'm submitting something like credit card data, I check the URL and the cert anyway.
The reason the books are popular is because they are outlandish and enjoyable satire. Very comedic, very fun, very radical. A good read.
It always seems like they spend less time poking fun at things like how major motion picture studios do product placement and regurgitate the same old shit and spend more time doing product placement and regurgitating the same old shit.
But I don't know. Maybe I'm just being cynical. After all, it's Disney! The people who brought us Brother Bear and, uh...yeah, Brother Bear!
But now, I can't think of that many differences. Multi-user systems have the security necessary to keep networked systems free of viruses and spyware. Good multi-tasking is something you want on the desktop as well. PCs now do as much networking as servers. Stability and security? Yes, please.
Similarly, many sysadmins prefer more automatic configuration, graphical interfaces, and the like (I personally wouldn't choose Windows on a server for its graphical configuration, but apparently many do).
The primary difference, really, is just hardware support and perhaps prioritising software upgrades versus stability. Debian, for example, has slow updates but rock-hard stability. Gentoo (my desktop of choice) has a few reliability issues (in my experience, but you can take issue with this if you'd like) but is great for up-to-date software. Similarly, FreeBSD doesn't support my nforce2 motherboard (a shame; I'd kinda prefer it to Linux) but supports SCSI, various WAN technologies, and similar.
But in terms of the basic code-base, I don't know why we should assume there's a big difference between what's good on a desktop and what's good on a server. Because stability, security, speed, usability--these are all traits we want in both.
Not necessarily all that easy, but theoretically possible. The only solution I see is encrypting the whole thing with something like VPN.
On the other hand, there are plenty of good arguments for why patents are beneficial and even necessary for certain industries and innovations (think pharmaceuticals, an industry which is certainly screwed up to the point of allowing millions to die of AIDS in Africa, but where the argument that innovation would not happen without patents is probably nonetheless correct).
That said, I still think that a) some places signs aren't obvious or can't be placed everywhere (do you really want to plaster a library with signs about wifi? what about parks and open locations?) and b) it's just easier to do it in such a way that all someone has to do is connect to the network to find out how to use it.
Not saying it's a big deal, but the redirection thing is pretty nice. Also, it has the benefit of only harassing people who aren't yet authenticated (so that if you're MAC is authenticated, you don't need to go to the page to find out if you can connect or if difficulties are your fault or the network's, you can just try and connect and see the page if necessary). All in all, it's a neater solution.
More to the point, it's one used by at least two commercial hardware vendors (bluesocket and reefedge, as I mentioned in a previous post) and by a number of private network admins and projects (the NoCat Auth project uses this method, as do I in something I wrote for work). I can't remember where I first got the idea, but it's certainly one that's somewhere out there in the ether, floating about, free for the taking. I find it hard to believe that this company truly invented it first, or that it's particularly non-obvious even if they did.