This is how I usually choose passwords: I get 12 to 24 bytes from/dev/random (depanding on how much entropy and how large keyspace do I really need) and just use its base64 representation as a password. It's quite hard to guess and after few years I have little problem in remembering the short (96 bits of entropy) ones. The secret is that I don't have to remember them for long, as I change it weekly anyway. This is what I always tell my lusers to use. Once they get used to it, they stop complaining. It's easier to remember if you make a sentence with words starting from those letters and it can be actually fun (e.g. you can write a poem, a song, etc.).
I always use HGC
ISA graphics cards on my favorite servers whenever I can. I usually get them for free from computer junkyards, schools and government agencies. I complement them with vintage 14" monochromatic CRTs (green or orange) which look very cool and sexy with those big, old, noisy keyboards. Call me a psychopath but I just love to interact with an 8-way monster with 4GB ram and Gb-eth sitting in front of a one of those old-school consoles and listening to Wagner. I don't know why but it helps me stay on the manic side of bipolar disorder most of the time. Also, they eat much less electricity than modern adapters and color CRTs. Being dirt cheap is also a plus.
Quite an insightful comment I must say, at least for an argumentum ad personam. This was probably one of those "trollings" I'm hearing so much about, but still I will answer.
On the other hand, if you'd like a wide selection of permissions on directories, users, and files, along with relatively easy and logical administration as well as high reliability (at least as far as networked file systems are concerned) then you should go with SMB.
I was talking about security, not convenience. By security I mean the cryptography and number theory behind the protocol, not a "wide selection of permissions."
The rest of your long and boring comment is a childish and baseless attack on my person, so please excuse me if I ignore it before you start comparing our penii length.
"Smart" and "fashion" in one sentence?
Give me a break!
Repeat after me, kids:
smartpeopledon'tneedfashion.
Let's face it: fashion is only for
people who need some way to make up for the obvious lack of intelligence.
However, even if it's quicker than Windows Server 2003, NFS still seems to do a great deal better on my home network for the same things. For example, I typically get 10%-20% of the transfer with SMB as I do with NFS.
Interesting. Finally I have some hard evidence for clients who keep wasting my time asking me to support SMB on my network.
I've always been telling them to RTFM and just use scp like everyone else here, but they always cry and moan that they don't know how... One has to wonder which part of RTFM don't those morons understand... But anyway, it's good to know that my intuition to avoid Microsoft protocols like a plague turned out to be right as usual.
Recently all of them ask for Samba more then ever before and I think I may finally set up NFS for them one day.
I just have one more question. What are the differences between Samba and NFS security-wise?
I need one more argument to my arsenal.
So I don't recommend using Samba at all unless you're looking for Windows compatibility.
Personally I don't give a rat, but all of those people... You know the type. They won't touch anything which is not sacred by their good uncle Bill...
I need as many hard arguments as possible to prove my point here. Thanks.
we don't know which of those "a *lot* of stuff" is fixed already [Emphasis preserved]
It will slow down the incompetents a bit.
"We" are left more in the dark.
Well, by we I mean you
(well, some of you, actually)
id est those who have no access to the underground "scene" and don't know about unpublished vulnerabilities and private "exploits." I myself couldn't care less about pix.com (or any other security website for masses for that matter -- masses who should stay away from software like IE in the first place)
but unfortunately I have to deal with people, who are incompetent enough to use such a software and who need to be constantly told about its vulnerabilities. Those people couldn't find a private exploit on IRC or Freenet even if their life depended on it, so they need websites like this one. Too bad Microsoft knows that knowledge is power and managed to shut their mouths.
The competent bad guys, assuming there are any, have a bit less noise to contend with.
I am always more concerned about incompetent good guys, as those are sadly in the majority.
I'll Coward on this since I don't work on the IE team:
I believe the patch fixed most if not all of the vulnerabilities on that web page.
I'm sorry but your logic is flawed.
If the patch fixed most if not all of the vulnerabilities on that web page indeed, then
the page should be updated instead of removed, id est they should add "update: this is already fixed" where appropriate.
But no, they stopped informing the public about any (patched or otherwise) vulnerabilities and look like a classical example of becoming a Microsoft prostitute.
(Note that I'm not saying they are (but it should be obvious at this point anyway), I'm only saying they look like one.)
Re: the "why aren't they doing that" - They probably are. But you don't change IE behavior without affecting a *lot* of stuff, so I'd presume they're trying to get it all right first before they release a patch rather than release immediately and break something else by accident...
And in your opinion it is good that we don't know which of those "a *lot* of stuff" is fixed already? Don't fool yourself.
It may look not so important to you or me, since no sane person uses IE anyway, but we have to remember that sometimes people we work with are stupid enough to use Windows, and implicitly trusting their systems integrity may cause a disaster.
Therefore there is absolutely no excuse to have unpatched vulnerabilities in any software. Now we have to thank this
supposedly famouse Pix Solutions
for making it easier for Microsoft to hide their flaws. I'm sure "Internet as a whole" (read: good uncle Bill) will thank them indeed.
Just in case not all of you already know that,
I, as probably most of Slashdot readers, don't allow Windows on my network. Period. But it doesn't mean we don't have to pay for the Microsoft virusii bandwidth constantly hitting our firewalls. It is killed on the first level of firewalls, the intruders' hosts are being instantly counterattacked, but before they are down their packets has to travel to our routers somehow, and we have to pay for them, even if we don't want and don't need them.
Am I the only one who read "IE Vulnerabilities Removed"? I knew it was to good to be true...
That's funny, but jokes aside,
I believe this is what Microsoft should be doing, id est removing the vulnerabilities themselves, not merely the discussion about them. Those greedy bastards have so much cash that patching IE should take them less than 6 weeks. So I am asking: why aren't they doing that? Is there any Microsoft employee reading this who could answer my question? I surely hope so.
I am terribly sorry for the typo. It should be "Internet as a whole" not "Internet as a hole" of course. But one has to admit that in the context of the arse anal ogy the "hole" sounds kind of disturbingly appropriate, to say the very least... One only has to wonder if what we see here is not "Internet as a whore" -- MSFT whore that is.
Speaking about security, I'd like to point you to my recent articel on the topic. I hope you all find it informative.
Are they kidding me?
The good of their soon to be exploited by MSFT lawyers arses -- that's for sure.
The good of the Internet as a whole -- no way.
That's security through obscurity in the most obvious and insulting form.
It's a good thing that since they removed the information no one is going to knowit... *sigh*
I think they are insulting the intelligence of every Slashdot reader. What next? Are they going to remove the security focus articles they linked to as well? Is this madness ever going to stop? OK, I'll stop now. I guess I've read to many books about security to stay calm while being insulted this way. I'm sorry.
Working from behind NAT and with no ports open comes pretty close.
Why, yes, indeed...
Not so good for services, BoC you can jail those, and most of them can even be put in a read-only jail.
Speaking about chroot jail, make sure nothing inside runs with euid 0 and there's no suid and/or local exploitable vulnerabilities (a, so called, "local r00t 'sploit") inside the jail, otherwise breaking out is surprisingly trivial. I just wanted to point it out just in case anyone reading your comment could think chroot is a panaceum, while we know it doesn't work against superuser euid privileged processes.
Right... and do everything yourself? There is one other alternative. Just don't use Windows with it's reputation of having no security whatsoever.
Just in case you missed my other comment
(foolishly moderated as Score:0, Flamebait,
because I dared to say I don't use Windows)
I want to clarify few things:
I don't allow Windows on my network.
Period.
Are you trying to raise an army of informed sysadmins or an army of grubby computer crackers?
The most fundamental knowledge they need is exactly equivalent. The only difference is that "army of grubby computer crackers" needs to know only one successful attack to win, while any even remotely competent sysadmin needs to know all of them to be able to detect any of them every time.
Of course you can always choose the easy way and hire Counterpane or similar service, but I always advise to have a security response team on site ready to counter the attack 24 hours a day, 7 days a week, with the flawless cooperation between them and your armed guards being the clue in case of insider job or physical compromise.
(Note to sysadmins: please don't flame me! I aspire to *be* one of you guys some day.)
This is an exciting job, but may be dangerous if you are in charge of any important network due to physical attack possibility. Never underestimate the power of rubber-hose cryptanalysis. I mean it. Don't learn it the hard way like I did.
Great idea! After I get done with that, I think I'll teach the users the difference between real error messages and banner ads.....
Nobody said you have to be competent yourself, but don't come crying to me when you realize that, for example, one can write an ASCII string which is a valid x86 shellcode after conversion to UTF-16,
also having a plausible spectrum analysis signature. This post will probably get moderated as Score:-1, Obvious Example but sometimes even the most trivial attack may be successful if you are not careful enough, or if you don't know your architecture's binary instruction set for that matter.
I meant to turn off all ports, not to turn off the bloody systems. Sheesh.
If I am going to turn all of the ports on our servers off, then I can just shut the whole damn network down as well. Both of those "solutions" are technically equivalent, the only difference being the obvious savings on electricity bill.
If they're systems in a lab, you're probably going to have to keep some ports on.
Indeed...
But for 99.99% of Windows users there is not need to. They're client machines, not servers.
I don't allow Windows on my network. Do you think I'm stupid?
I am not going to trust in security through obscurity done by the most ignorant people in the industry. This is an important network and I am not going to basically ask for trouble.
I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.
You mention quite a few very important but frequently underestimated issues here. The network where I work is constantly being monitored and we know that firewalls and IDSs need to work both ways. I think that the prosecution one of our workers who was downloading pornography using our network (the poor bastard thought des encrypted icmp echo reply payload was a good "covert channel" -- not when I am in charge) will face in few weeks pretty much speaks for itself.
Or you could just make sure everything is off. I don't know how much more simple you can get. Of course, you do need a little bit of education to know how to tell that you really do have everything off, but it's still a heck of a lot simpler than learning assembler.
Great idea. Let me make sure everything is off
in my lab.
Let me also
ask management of my institute
to file for bankruptcy while I am at it.
I am sure they will thank me for making our network absolutely safe.
It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.
Please excuse my offtopicness, but I just cannot stand it.
As I am sure any even remotely intelligent person could easily tell you,
this was NOTargumentum ad hominem, but
a classical example of argumentum ad personam in its purest form!
I just cannot believe how you just embarrassed yourself in your miserable attempt to sound smarter than you apparently are.
Now, please do all of us a favor and consider educating yourself, as I believe there is no place for ignorance and plain stupidity here on Slashdot.
But I guess I am only wasting time of the intelligent Slashdot counterpart,
as the only argumentum you might possibly understand would be
argumentum ad ignorantiam...
Please take no offense, this is a fact.
Vanitas vanitatum, I might add -- now, mightn't I?
In related news:
As noted previously, a couple of weeks ago Snake Oil Ltd. released a new
perpetual motion vehicle
by professor Dick Crackpot. Slashdot readers speculated that the system wouldn't work. Now there is a report proving it doesn't work by Joe Sixpack, a high school student. Film at eleven!
My god... What's next?
Lossless compression of random data?!
Please...
Are people really that unintelligent to believe in such an obvious BS? What is it, 21ts century or Middle Ages for god's sake!
Slashdot Mirror
This is how I usually choose passwords: I get 12 to 24 bytes from /dev/random (depanding on how much entropy and how large keyspace do I really need) and just use its base64 representation as a password. It's quite hard to guess and after few years I have little problem in remembering the short (96 bits of entropy) ones. The secret is that I don't have to remember them for long, as I change it weekly anyway. This is what I always tell my lusers to use. Once they get used to it, they stop complaining. It's easier to remember if you make a sentence with words starting from those letters and it can be actually fun (e.g. you can write a poem, a song, etc.).
I always use HGC ISA graphics cards on my favorite servers whenever I can. I usually get them for free from computer junkyards, schools and government agencies. I complement them with vintage 14" monochromatic CRTs (green or orange) which look very cool and sexy with those big, old, noisy keyboards. Call me a psychopath but I just love to interact with an 8-way monster with 4GB ram and Gb-eth sitting in front of a one of those old-school consoles and listening to Wagner. I don't know why but it helps me stay on the manic side of bipolar disorder most of the time. Also, they eat much less electricity than modern adapters and color CRTs. Being dirt cheap is also a plus.
Tell me about it...
I think they've been too dangerous since MS-DOS...
Quite an insightful comment I must say, at least for an argumentum ad personam. This was probably one of those "trollings" I'm hearing so much about, but still I will answer.
I was talking about security, not convenience. By security I mean the cryptography and number theory behind the protocol, not a "wide selection of permissions."
The rest of your long and boring comment is a childish and baseless attack on my person, so please excuse me if I ignore it before you start comparing our penii length.
"Smart" and "fashion" in one sentence? Give me a break! Repeat after me, kids: smart people don't need fashion. Let's face it: fashion is only for people who need some way to make up for the obvious lack of intelligence.
Interesting. Finally I have some hard evidence for clients who keep wasting my time asking me to support SMB on my network. I've always been telling them to RTFM and just use scp like everyone else here, but they always cry and moan that they don't know how... One has to wonder which part of RTFM don't those morons understand... But anyway, it's good to know that my intuition to avoid Microsoft protocols like a plague turned out to be right as usual. Recently all of them ask for Samba more then ever before and I think I may finally set up NFS for them one day. I just have one more question. What are the differences between Samba and NFS security-wise? I need one more argument to my arsenal.
Personally I don't give a rat, but all of those people... You know the type. They won't touch anything which is not sacred by their good uncle Bill... I need as many hard arguments as possible to prove my point here. Thanks.
Well, by we I mean you (well, some of you, actually) id est those who have no access to the underground "scene" and don't know about unpublished vulnerabilities and private "exploits." I myself couldn't care less about pix.com (or any other security website for masses for that matter -- masses who should stay away from software like IE in the first place) but unfortunately I have to deal with people, who are incompetent enough to use such a software and who need to be constantly told about its vulnerabilities. Those people couldn't find a private exploit on IRC or Freenet even if their life depended on it, so they need websites like this one. Too bad Microsoft knows that knowledge is power and managed to shut their mouths.
I am always more concerned about incompetent good guys, as those are sadly in the majority.
I'm sorry but your logic is flawed. If the patch fixed most if not all of the vulnerabilities on that web page indeed, then the page should be updated instead of removed, id est they should add "update: this is already fixed" where appropriate. But no, they stopped informing the public about any (patched or otherwise) vulnerabilities and look like a classical example of becoming a Microsoft prostitute. (Note that I'm not saying they are (but it should be obvious at this point anyway), I'm only saying they look like one.)
And in your opinion it is good that we don't know which of those "a *lot* of stuff" is fixed already? Don't fool yourself. It may look not so important to you or me, since no sane person uses IE anyway, but we have to remember that sometimes people we work with are stupid enough to use Windows, and implicitly trusting their systems integrity may cause a disaster. Therefore there is absolutely no excuse to have unpatched vulnerabilities in any software. Now we have to thank this supposedly famouse Pix Solutions for making it easier for Microsoft to hide their flaws. I'm sure "Internet as a whole" (read: good uncle Bill) will thank them indeed.
Just in case not all of you already know that, I, as probably most of Slashdot readers, don't allow Windows on my network. Period. But it doesn't mean we don't have to pay for the Microsoft virusii bandwidth constantly hitting our firewalls. It is killed on the first level of firewalls, the intruders' hosts are being instantly counterattacked, but before they are down their packets has to travel to our routers somehow, and we have to pay for them, even if we don't want and don't need them.
Am I the only one who read "IE Vulnerabilities Removed"? I knew it was to good to be true...
That's funny, but jokes aside,
I believe this is what Microsoft should be doing, id est removing the vulnerabilities themselves, not merely the discussion about them. Those greedy bastards have so much cash that patching IE should take them less than 6 weeks. So I am asking: why aren't they doing that? Is there any Microsoft employee reading this who could answer my question? I surely hope so.
I am terribly sorry for the typo. It should be "Internet as a whole" not "Internet as a hole" of course. But one has to admit that in the context of the arse anal ogy the "hole" sounds kind of disturbingly appropriate, to say the very least... One only has to wonder if what we see here is not "Internet as a whore" -- MSFT whore that is.
Speaking about security, I'd like to point you to my recent articel on the topic. I hope you all find it informative.
Are they kidding me? The good of their soon to be exploited by MSFT lawyers arses -- that's for sure. The good of the Internet as a whole -- no way. That's security through obscurity in the most obvious and insulting form. It's a good thing that since they removed the information no one is going to know it... *sigh* I think they are insulting the intelligence of every Slashdot reader. What next? Are they going to remove the security focus articles they linked to as well? Is this madness ever going to stop? OK, I'll stop now. I guess I've read to many books about security to stay calm while being insulted this way. I'm sorry.
Why, yes, indeed...
Speaking about chroot jail, make sure nothing inside runs with euid 0 and there's no suid and/or local exploitable vulnerabilities (a, so called, "local r00t 'sploit") inside the jail, otherwise breaking out is surprisingly trivial. I just wanted to point it out just in case anyone reading your comment could think chroot is a panaceum, while we know it doesn't work against superuser euid privileged processes.
Just in case you missed my other comment (foolishly moderated as Score:0, Flamebait, because I dared to say I don't use Windows) I want to clarify few things: I don't allow Windows on my network. Period.
Soon The Right to Read by Richard Stallman will be historical documentary instead of overexeggarated antiutopian future science fiction...
The most fundamental knowledge they need is exactly equivalent. The only difference is that "army of grubby computer crackers" needs to know only one successful attack to win, while any even remotely competent sysadmin needs to know all of them to be able to detect any of them every time. Of course you can always choose the easy way and hire Counterpane or similar service, but I always advise to have a security response team on site ready to counter the attack 24 hours a day, 7 days a week, with the flawless cooperation between them and your armed guards being the clue in case of insider job or physical compromise.
This is an exciting job, but may be dangerous if you are in charge of any important network due to physical attack possibility. Never underestimate the power of rubber-hose cryptanalysis. I mean it. Don't learn it the hard way like I did.
Nobody said you have to be competent yourself, but don't come crying to me when you realize that, for example, one can write an ASCII string which is a valid x86 shellcode after conversion to UTF-16, also having a plausible spectrum analysis signature. This post will probably get moderated as Score:-1, Obvious Example but sometimes even the most trivial attack may be successful if you are not careful enough, or if you don't know your architecture's binary instruction set for that matter.
If I am going to turn all of the ports on our servers off, then I can just shut the whole damn network down as well. Both of those "solutions" are technically equivalent, the only difference being the obvious savings on electricity bill.
Indeed...
I don't allow Windows on my network. Do you think I'm stupid? I am not going to trust in security through obscurity done by the most ignorant people in the industry. This is an important network and I am not going to basically ask for trouble.
I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.
You mention quite a few very important but frequently underestimated issues here. The network where I work is constantly being monitored and we know that firewalls and IDSs need to work both ways. I think that the prosecution one of our workers who was downloading pornography using our network (the poor bastard thought des encrypted icmp echo reply payload was a good "covert channel" -- not when I am in charge) will face in few weeks pretty much speaks for itself.
Great idea. Let me make sure everything is off in my lab. Let me also ask management of my institute to file for bankruptcy while I am at it. I am sure they will thank me for making our network absolutely safe.
It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.
Please excuse my offtopicness, but I just cannot stand it. As I am sure any even remotely intelligent person could easily tell you, this was NOT argumentum ad hominem, but a classical example of argumentum ad personam in its purest form! I just cannot believe how you just embarrassed yourself in your miserable attempt to sound smarter than you apparently are. Now, please do all of us a favor and consider educating yourself, as I believe there is no place for ignorance and plain stupidity here on Slashdot. But I guess I am only wasting time of the intelligent Slashdot counterpart, as the only argumentum you might possibly understand would be argumentum ad ignorantiam... Please take no offense, this is a fact. Vanitas vanitatum, I might add -- now, mightn't I?
"a company [...] has filed a motion to stop Microsoft from distributing its IE software until they remove Eolas' patented technology"
What??? EULAs are patented?! Thank god! Oh, wait a minute...
In related news: As noted previously, a couple of weeks ago Snake Oil Ltd. released a new perpetual motion vehicle by professor Dick Crackpot. Slashdot readers speculated that the system wouldn't work. Now there is a report proving it doesn't work by Joe Sixpack, a high school student. Film at eleven!
My god... What's next? Lossless compression of random data?! Please... Are people really that unintelligent to believe in such an obvious BS? What is it, 21ts century or Middle Ages for god's sake!