If you know of something that can block MSN Messenger effectively, let me know. It installs as part of windows, and without user intervention, tries very hard to bypass detection and get through to it's home servers.
I can have a policy - don't install this - don't use this, but most people do anyway just to make that damned message go away. "Wouldn't you like all the benefits of adding a.NET password to XP?". Sure, I can remove it, but the service packs put it back again. I turned it off through the registry, and a security update restored it. MSN Messenger is pervasive, and annoying. No user intervention necessary.
Back to "smart detection" -- After the first blocked attempt, it talks using standard http then as https (also over the correct ports). I don't want to block any web page that 'could' actually be a web page though.
Similarly, I carry my extra pws in 'Keyring' on my Pilot. This works out for the odd message boards that force me to use/not use certain letters/characters, too.
As the post above mentions, how effective is this against MSN Messenger? Messenger protocols will gladly talk http or https, and run over standard web ports.
No MSN messenger is a common policy among companies. I'd be quite interested to see if it's effective, without cutting off web access (false positives).
Sure, but gnutella (for instance) is already implimented using a structure that very closely follows the http protocol. So gnutella, across port 80, is very difficult to detect.
So, even if I get 'smart' detection, how will this better protect me from getting false positives for P2P by users whom are hitting IP dotted addresses to find legitimate web sites.
Computers can only get so smart, before they become smarter than you are...
An example I would call on is Word. When I want to misspell a word on purpose like, recieved. Word knows better than I do, and will change it back, automatically. This is not so bad, until you start dealing with multi-page columns in a document. I know what text I want to show up in each column. I type it where it goes, Wysiwyg style, but Word knows better. It will change things around, and put my text where it wants.
This is similar to false positives. Eventually, the program is written to think it knows better than the person running it.
My point is - when will a SNORT type product decide that my Windows machine cannot work on an ISP of Windows machines because I pipe it's traffic through a virtual interface that coincidentally looks like I'm running OSX or Amiga?
Certain revisions or patchlevels of an operating system may change the stack's behavior and cause it to either not match what's in the fingerprints file or to match another entry altogether.
The above note does speak to one of the points I made. It's difficult to make this work correctly, and effectively (I use ipf on Solaris, and the OS SYN signatures are not reliable).
"The idea is to take a policy
like 'thou shalt not run OS X on the network,'
and then if someone with a Mac plugs into
our network... it can tell the firewall
to [block them],"...
While this would be cool, the nature of
TCP/IP says that it will be quickly
defeated. There are already
programs out there that will make your
Linux box masquerade as another type of
computer.
If a policy says, thou shalt not run P2P -
then the P2P will be reached through proxy.
If you use snort regular expression detection
(one of the coolest features) then new
protocols will be written to look like
an innocuous service (P2P though
ICMP/Ping).
The worst part, and my buddy Zero Hex could talk about this forever,
is when ISPs start using this to enforce their
will on users. Thou shalt not connect without
Windows.
Basically, it's not likely to enforce policies among those who actively want to get around them. Instead, it will enforce policies that push an agenda.
For authentication purposes, biometrics are nearly as good as it gets. Remember, authentication, is to show that you are who you say you are.
Biometrics cannot be shared (except, in some cases, among identical twins). The other issue of biometrics is legacy and diverse systems (see last paragraph). Not all systems can handle/be retro-fitted with biometric scanners.
However, if you want to have a username and password that can be shared among a group of people (service specific userid), biometrics won't do at all. (Yes, this is still relatively common). Or, have a reltively anonymous service (like Slashdot) - where a userid may want to keep multiple accounts (see my sig-link).
Does anybody know of a decent biometrics system that works well with a Hybrid linux/windows network? I researched it, and can't find anything. Maybe someone else will know.
The worst barrier, from my perspective, to user education is windows' and web-brower's "remember my password" functionality. For 99% of all interactions with my network, users have their password "remembered" for them. Then, they set the password on their laptop to "blank" or == username.
Does anybody know of an easy way to permanantly disable this capability?
I'd rather have everybody write down their passwords with a huge billboard font than have the password get out of the building.
I have successfully run without a firewall (and far less virus/worm problems than the company down the hall) for over 5 years. All network access to systems is through ssh, vnc and https only.
I'll be happy to go into great detail on why I don't run a firewall, just ask.
On a message board, I always use a fairly simple password, simply because it doesn't matter to me...
If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.
The passwords I use on anything important, are far more secure.
For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.
That's why I assign passwords to my users. I know that they are random, cryptic, long enough, and if my user can't remember it, I can remind them.
On the other hand, I don't have a password retention policy either, so really if someone is in my employ for more than six months, there's a good chance of a password getting lost into the wrong hands. Yes, I know this is a bad idea.
Seedless orange trees are all grown from cuttings of other seedless orange trees. Thus, they are NEVER found in a 'seed' form. There was only one (known) natural occurance of a seedless orange tree, and seeing a cash cow, it's been re-grown from root cuttings over-and-over again since.
An informative Merriam Webster quote (and discussion) is further up the thread starting at
this post.
That is to say, it's not a mis-use of the word any more than you are actually claiming that God will not love those who mis-use the word 'organic'. (That's assuming you are not a full-fledged religious zealot).
I would also point out this
informed sounding post that says that they are not currently using "terminator" or "suicide" genes in the seeds that are sold.
If you click the "research supports this" link, you'll see what I'm referring to. Basically, a whole bunch of supposedly "pure" crops came up as round-up resistant.
I would have thought that genetically
modified crops would be unable to reproduce
by some manipulation. I'm quite surprised to hear from the
articles and research linked that this is
not the case.
I imagine the purists who
want full organic food may be surprised that
thier food may be cross-polinated with a
genetic crop.
Slashdot Mirror
I can have a policy - don't install this - don't use this, but most people do anyway just to make that damned message go away. "Wouldn't you like all the benefits of adding a .NET password to XP?". Sure, I can remove it, but the service packs put it back again. I turned it off through the registry, and a security update restored it. MSN Messenger is pervasive, and annoying. No user intervention necessary.
Back to "smart detection" -- After the first blocked attempt, it talks using standard http then as https (also over the correct ports). I don't want to block any web page that 'could' actually be a web page though.
Of course, if you have my finger... I'll undoubtedly give you my password, lest you take more appendages.
Similarly, I carry my extra pws in 'Keyring' on my Pilot. This works out for the odd message boards that force me to use/not use certain letters/characters, too.
No MSN messenger is a common policy among companies. I'd be quite interested to see if it's effective, without cutting off web access (false positives).
So, even if I get 'smart' detection, how will this better protect me from getting false positives for P2P by users whom are hitting IP dotted addresses to find legitimate web sites.
Computers can only get so smart, before they become smarter than you are...
This is similar to false positives. Eventually, the program is written to think it knows better than the person running it.My point is - when will a SNORT type product decide that my Windows machine cannot work on an ISP of Windows machines because I pipe it's traffic through a virtual interface that coincidentally looks like I'm running OSX or Amiga?
The above note does speak to one of the points I made. It's difficult to make this work correctly, and effectively (I use ipf on Solaris, and the OS SYN signatures are not reliable).
While this would be cool, the nature of TCP/IP says that it will be quickly defeated. There are already programs out there that will make your Linux box masquerade as another type of computer.
If a policy says, thou shalt not run P2P - then the P2P will be reached through proxy. If you use snort regular expression detection (one of the coolest features) then new protocols will be written to look like an innocuous service (P2P though ICMP/Ping).
The worst part, and my buddy Zero Hex could talk about this forever, is when ISPs start using this to enforce their will on users. Thou shalt not connect without Windows.
Basically, it's not likely to enforce policies among those who actively want to get around them. Instead, it will enforce policies that push an agenda.
For authentication purposes, biometrics are nearly as good as it gets. Remember, authentication, is to show that you are who you say you are.
Biometrics cannot be shared (except, in some cases, among identical twins). The other issue of biometrics is legacy and diverse systems (see last paragraph). Not all systems can handle/be retro-fitted with biometric scanners.
However, if you want to have a username and password that can be shared among a group of people (service specific userid), biometrics won't do at all. (Yes, this is still relatively common). Or, have a reltively anonymous service (like Slashdot) - where a userid may want to keep multiple accounts (see my sig-link).
Does anybody know of a decent biometrics system that works well with a Hybrid linux/windows network? I researched it, and can't find anything. Maybe someone else will know.
Damn, all of a sudden, I'm hungry. Must be lunch-time.
Does anybody know of an easy way to permanantly disable this capability?
I have successfully run without a firewall (and far less virus/worm problems than the company down the hall) for over 5 years. All network access to systems is through ssh, vnc and https only.
I'll be happy to go into great detail on why I don't run a firewall, just ask.
So, your passwords are made from the "reply-to" of random SPAM messages!
If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.
The passwords I use on anything important, are far more secure.
For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.
All your i286 are belong to us.
On the other hand, I don't have a password retention policy either, so really if someone is in my employ for more than six months, there's a good chance of a password getting lost into the wrong hands. Yes, I know this is a bad idea.
Seedless orange trees are all grown from cuttings of other seedless orange trees. Thus, they are NEVER found in a 'seed' form. There was only one (known) natural occurance of a seedless orange tree, and seeing a cash cow, it's been re-grown from root cuttings over-and-over again since.
That is to say, it's not a mis-use of the word any more than you are actually claiming that God will not love those who mis-use the word 'organic'. (That's assuming you are not a full-fledged religious zealot).
You can't forget Cargill while rounding out your Axis of food evil. Cargill is not public, so they have no financial scrutiny into their evil empire.
Or maybe I'm still sour that they wouldn't hire me, years ago, when I interviewed there.
I would also point out this informed sounding post that says that they are not currently using "terminator" or "suicide" genes in the seeds that are sold.
However, another post seems to think that they are supposed to be sterile.
Just in case you're not just posting a smart-ass comment, I'm referring to Organic certified foods.
There's a natural order to things... I eat canola, not the other way around.
Really interesting read.
I would have thought that genetically modified crops would be unable to reproduce by some manipulation. I'm quite surprised to hear from the articles and research linked that this is not the case.
I imagine the purists who want full organic food may be surprised that thier food may be cross-polinated with a genetic crop.
Mechanic: Somebody set up us the bomb.
Operator: We get signal.
Captain: What !
Cats: All your spam are belong to us.