Building a performance system is the best option to do it economically. Unfortunately, Alienware has a jump on the market with the dual PCI express graphics motherboards.
Barring that, I'd buy a system from a company that supports (indirectly or through ads) the OSS community.
I'm talking about Monarch Computer and similar vendors obviously.
If Crippleware is limited software then what is a good name for a crippled operating system? CrippleOS doesn't sound very catchy. GimpOS? Anyone have a better term for this?
CANVAS is not merely a GUI over a database of known exploit code. CANVAS, like Core Impact, Metasploit, and the US Government's ATLAS program, is a framework for penetration. How does it vary from mere scripts?
1. A GUI for interface
2. Standardized exploit modules
3. Suite of reliable payloads
4. lots of other features
Exploit frameworks are very flexible, as opposed to hardcoded exploit scripts.
I haven't heard of an open source tool with the same functionality as the former Raytheon SilentRunner, now CA eTrust Network Forensics
or the similar tool Niksun
An open source tool with similar capabilities would be an excellent project
If they weren't providing his paycheck, how can he be obligated to provide exploits on someone else's timetable?
I don't blame him for releasing things when it is convenient to him.
The last time I told a developer about flaws in his commercial product, his website had him claiming "he himself had found some security flaws" and he gave me 0 credit, nor compensation for the hours I spent testing out other vulnerabilities on his commercial product, nor the time spent helping him realize what he was doing wrong.
Scan after hours/on the weekend Consider using a passive vulnerability scanners (e.g. http://www.tenablesecurity.com/nevo.html ) Do a distributed scan Use unaggressive settings
*******
One of the foremost security gurus of TCP/IP like Dan Kaminsky of Paketto Keiretsu/blackhat/defcon fame has some novel ways of performing network scans too. You might want to consider reading over his material at http://www.doxpara.com/
The Mitre CVE = a dictionary. It lists types of vulnerabilities. It is not a database that can be queried for specific instances of vulnerabilities, by OS, by application type, etc. (Now you know what the CVE is, and isn't).
The NIST ICAT takes CVE numbers, and attempts to reference specific vulnerabilities against it. It tracks to a limited extent, OS type, application version, etc. The problem with the NIST ICAT is the generic terms that are used often, so one specific ICAT entry might match 5 different specific vulnerabilities. (Now you know what the ICAT is, and isn't).
Want a test case? Take any piece of software that has had multiple vulnerabilities, sendmail for example. Now take the output of ICAT and attempt to match the vulnerability listed against specific problems. You'll be able to do about 50% of it easily. 25% more you'll be able to manage with some detective work. The other 25% will match multiple things and you will be unable to create a concrete match. The NIST ICAT is a step in the right direction, but because many of the vulnerabilities listed are written in a generic manner, PRECISE tracking is impossible. (Now you know what the problem is with ICAT).
Now for a real world example: You are tasked with doing an enterprise certification & accreditation effort for a government agency. They want to track their vulnerabilities across the entire organization as you report them. They are tracking their high risk vulnerabilities so they can allocate resources to fix them asap, while taking a more longterm perspective on minor vulns. They are your customer, and would like their vulns matched against ICAT..... You then run into problems then, matching the specific vulnerabilities against ICATs. It doesn't reflect greatly on the C&A effort (because ICAT matching is mainly a value-add).
ANSI SQL is a neutral format. It is the primary standard for Database SQL. I'd prefer to have it in ANSI SQL to some other format. I'm not part of the OSVDB team though, so why don't you ask them.
As for being familiar with the CVE/ICAT, it is obvious that I am. Next time before you accuse someone of trolling, research the subject at hand.
If you are looking for security checklists/hardening guides, NIST releases the combined NSA/DISA guidance
here. Unfortunately, it is commercial OS centric, the Linux coverage woeful, the *BSD coverage nonexistent:(
Don't go to CI$ - they are basically repackaging DISA/NSA guidance, then charging for it!
The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE
You would be better off to compare the OSVDB against the ICAT metabase
The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).
OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.
Slashdot Mirror
$ans is all about cash.
you should have at least mentioned your membership in the ISC so everyone would know you are biased.
The first word that caught my attention was the word "handler".
To paraphrase Dave Aitel, "handler = someone without a CS degree".
$ans is all about cash. That is why their classes are packed to the brim, so people can watch powerpoint presentations...
(yes I have attended one)
Half of the SANS hardening guides were ripped straight from the US government (NSA/DISA STIGs). No credit given either btw.
Isn't OSS always about a choice?
You can do a minimal install of whatever OS you want. If you don't like it, don't install the DB layer.
apt-get install dbfs
Building a performance system is the best option to do it economically. Unfortunately, Alienware has a jump on the market with the dual PCI express graphics motherboards.
Barring that, I'd buy a system from a company that supports (indirectly or through ads) the OSS community.
I'm talking about Monarch Computer and similar vendors obviously.
Within the DOD, they don't need to do it via email.
Instead, they can use their x509 smartcard (CAC) to access a voting website, that loaded with certs via a fortezza card.
The entire transaction could take place over the NIPRnet or even better, the SIPRnet.
tco or tc0? :D
If Crippleware is limited software then what is a good name for a crippled operating system? CrippleOS doesn't sound very catchy. GimpOS? Anyone have a better term for this?
CANVAS is not merely a GUI over a database of known exploit code. CANVAS, like Core Impact, Metasploit, and the US Government's ATLAS program, is a framework for penetration. How does it vary from mere scripts?
1. A GUI for interface
2. Standardized exploit modules
3. Suite of reliable payloads
4. lots of other features
Exploit frameworks are very flexible, as opposed to hardcoded exploit scripts.
Looks like those NIST folks forgot all about the DISA STIGs
I haven't heard of an open source tool with the same functionality as the former Raytheon SilentRunner, now CA eTrust Network Forensics
or the similar tool Niksun
An open source tool with similar capabilities would be an excellent project
Get into an internship program that the US Government offers.
Government has a shortage of good IT people, and with the looming babyboomer retirements, will have a personnel crisis.
Don't go with Raid 1 or Raid 5
Go with Raid 3 XL
If they weren't providing his paycheck, how can he be obligated to provide exploits on someone else's timetable?
I don't blame him for releasing things when it is convenient to him.
The last time I told a developer about flaws in his commercial product, his website had him claiming "he himself had found some security flaws" and he gave me 0 credit, nor compensation for the hours I spent testing out other vulnerabilities on his commercial product, nor the time spent helping him realize what he was doing wrong.
America didn't invent the Internet, Al Gore did that.
The FSF *HAS* all-star lawyers
Lessig & Moglen
In related news, Osama Bin Laden talks about his growing rivalry with Darl Mcbride for most hated man in America...
This is what I do
Scan after hours/on the weekend
Consider using a passive vulnerability scanners (e.g. http://www.tenablesecurity.com/nevo.html )
Do a distributed scan
Use unaggressive settings
*******
One of the foremost security gurus of TCP/IP like Dan Kaminsky of Paketto Keiretsu/blackhat/defcon fame has some novel ways of performing network scans too. You might want to consider reading over his material at http://www.doxpara.com/
Metasploit is similar to Core Impact.
I'll gladly add this to my tools, without any cash outlay.
Want more security tools?
The Mitre CVE = a dictionary. It lists types of vulnerabilities. It is not a database that can be queried for specific instances of vulnerabilities, by OS, by application type, etc.
(Now you know what the CVE is, and isn't).
The NIST ICAT takes CVE numbers, and attempts to reference specific vulnerabilities against it. It tracks to a limited extent, OS type, application version, etc. The problem with the NIST ICAT is the generic terms that are used often, so one specific ICAT entry might match 5 different specific vulnerabilities.
(Now you know what the ICAT is, and isn't).
Want a test case? Take any piece of software that has had multiple vulnerabilities, sendmail for example. Now take the output of ICAT and attempt to match the vulnerability listed against specific problems. You'll be able to do about 50% of it easily. 25% more you'll be able to manage with some detective work. The other 25% will match multiple things and you will be unable to create a concrete match. The NIST ICAT is a step in the right direction, but because many of the vulnerabilities listed are written in a generic manner, PRECISE tracking is impossible.
(Now you know what the problem is with ICAT).
Now for a real world example:
You are tasked with doing an enterprise certification & accreditation effort for a government agency. They want to track their vulnerabilities across the entire organization as you report them. They are tracking their high risk vulnerabilities so they can allocate resources to fix them asap, while taking a more longterm perspective on minor vulns. They are your customer, and would like their vulns matched against ICAT..... You then run into problems then, matching the specific vulnerabilities against ICATs. It doesn't reflect greatly on the C&A effort (because ICAT matching is mainly a value-add).
ANSI SQL is a neutral format. It is the primary standard for Database SQL. I'd prefer to have it in ANSI SQL to some other format. I'm not part of the OSVDB team though, so why don't you ask them.
As for being familiar with the CVE/ICAT, it is obvious that I am. Next time before you accuse someone of trolling, research the subject at hand.
1. The Mitre CVE is "A Dictionary, NOT a Database".
2. The ICAT Metabase is seriously flawed, even more so than the CVE.
3. The Schema may be for PostgreSQL, but the contents should be ANSI SQL compliant. Gee, so hard?
4. Are you even familiar with the CVE or ICAT? I think not.
If you are looking for security checklists/hardening guides, NIST releases the combined NSA/DISA guidance here. Unfortunately, it is commercial OS centric, the Linux coverage woeful, the *BSD coverage nonexistent :(
Don't go to CI$ - they are basically repackaging DISA/NSA guidance, then charging for it!
The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE
You would be better off to compare the OSVDB against the ICAT metabase
The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).
OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.
We expect great things from you.
Taiwan (Chiang Kai Shek's administration) was the legally elected leadership of China. They fled there after the war with the communists
Are you saying OSS is "untested"? At least half the internet is run on OSS software! I guess that doesn't count for anything.
Open source software is audited, tested, validated, and independently certified often times these days. Many organizations use OSS as reference specs.
Can your proprietary closed source software say all that?