Not being able to read the (slashdotted?) article, it sounds like he's calling for companies to buy and install the latest series of security gizmos - the Security Event/Information Manager (SEM/SIM). This is truly the greatest generation of toys - it slices/dices/makes Julianne fries!
The goal of these devices is to take the data from the varying sources - syslogs, firewall logs, IDS/IPS entries, and so on and correlate it in an automated fashion. The challenge with these solutions is that it's, well, hard to do right. How long did it take us to get a decent IPS device? If you count the Checkpoint/Realsecure connections (where Realsecure could modify Checkpoint rules), it was about 4 years between that and a functional IPS that organizations could effectively trust. The S(E/I)M is a pretty big step beyond that. That's why managed security providers are in business, and even their correlation engines aren't that advanced. It's a great idea, and would be great to see, but I'm not convinced the complexity issues can truly be overcome. Can we really take in all the data from our servers, switches, routers, firewalls, IDS/IPS, workstations, network managment systems, application logs, LDAP/AD logs, email systems, etc. etc. and create a cohesive top-down view? I'd love it, but I wouldn't want to try to write it.
It reminds me a bit of ERP systems - great tools that managed everything and are amazingly expensive to purchase, customize, and use. Then again, if the security market goes that way, we'll have job security just installing the buggers.
To only allow encryption systems with well-known backdoors to hit the commercial world. Reserve the military grade stuff for those aligned with governments dedicated to goodness and niceness, not badness and evilness, like the U.S. government.
Oh wait. Make that Canada. Nobody distrusts the Canadians. Except for Sheriff Bud B. Boomer.
It may very well beg the question. It is not misusing language. The definition of "begs the question" that you are using is a misuse of language - specifically a mistranslation of Aristotle that dates from the 16th century. So, you are defending a 500 year old mistake.
Congratulations. You have just won the "ironic idiot" award for this story for decrying something as a mistake using an argument that is, in fact, a mistake.
Yes, it's a dumb question, but not because the answer is wrong.
It is a dumb question because:
1. It treats an assumption as a fact (the problem is serious)
2. It assumes that open source is any better for rootkits
3. It assumes the only active defense is related to rootkits
All wrong, or not proven facts. The problem may or may not be serious. Most Windows rootkits aren't rootkits. They don't patch the kernel, but simply hide processes from the process list and netstat. That's analogous to patching ps/ls/netstat on a *nix box. Like *nix, there are plenty of other tools out there to get this information. The ability of *nix rookits to modify the kernel itself is much more of a danger.
Windows being closed source code has nothing to do with rootkits. It's simply a lack of information for both the good guys and the bad guys. Hence, it's a lose/lose. The ability to build a kernel that CAN'T support loaded modules is a big advantage to *nix, but that has nothing to do with *nix being open source.
One can actively defend their windows systems against rootkits. Use file integrity checkers like tripwire. Use distributed log consolidation servers - they had to get in somehow before the kit got installed, and a rootkit won't wipe log entries on another server. Use other tools from sysinternals and other places to look for hidden processes and files. Heck, install cygwin for crying out loud and use ls/lsof!
So yes, it is a dumb question. And the answer is - "ask the right question - why can't we customize our windows kernel to prevent any possible rootkit from messing with it?"
Eslyjah, I think projecting back 10 years to dial-up isn't providing you with the data necessary to make a valid determination. You'd be better off looking 5 years into the past.
5 years ago, the year 2000, most people had already begun the switchover to broadband. Heck, I've had broadband for about 7 years, and I wasn't an early adopter. At that time, my speed was about 1 meg over a cable modem for 35 dollars a month.
Performing the same calculations, I get an easy differential of 3.5, hardly the 6 you've assumed for a 5 year period. That's the challenge with looking too far behind. So for the NEXT 5 years, if prices are cheaper by a factor of 3.5, that's 15Mbps for $40 a month.
Assuming Jupiter's projections are correct, a WiMAX/802.11b implementation showing a benefit of $25/month for private users at 10Mbps is a 4x improvement, which is in line, if not slightly ahead, of a 5 year to 5 year projection. Toss in the modem holdouts in 2000, and the numbers are still in line.
Of course, past performance is no indicator of future results, which is why all of these are castles built on sand.
All time favorite:
MonkeyCheesePants - Funny, but hopefully no more than that - I wouldn't want to know.
Runnerups:
Bring beer for password (university campus)
nowerenotStarbucksmovealong - near a coffee shop
Slashdot Mirror
Not being able to read the (slashdotted?) article, it sounds like he's calling for companies to buy and install the latest series of security gizmos - the Security Event/Information Manager (SEM/SIM). This is truly the greatest generation of toys - it slices/dices/makes Julianne fries!
The goal of these devices is to take the data from the varying sources - syslogs, firewall logs, IDS/IPS entries, and so on and correlate it in an automated fashion. The challenge with these solutions is that it's, well, hard to do right. How long did it take us to get a decent IPS device? If you count the Checkpoint/Realsecure connections (where Realsecure could modify Checkpoint rules), it was about 4 years between that and a functional IPS that organizations could effectively trust. The S(E/I)M is a pretty big step beyond that. That's why managed security providers are in business, and even their correlation engines aren't that advanced. It's a great idea, and would be great to see, but I'm not convinced the complexity issues can truly be overcome. Can we really take in all the data from our servers, switches, routers, firewalls, IDS/IPS, workstations, network managment systems, application logs, LDAP/AD logs, email systems, etc. etc. and create a cohesive top-down view? I'd love it, but I wouldn't want to try to write it.
It reminds me a bit of ERP systems - great tools that managed everything and are amazingly expensive to purchase, customize, and use. Then again, if the security market goes that way, we'll have job security just installing the buggers.
Flamebait? My, it looks like someone's sarcasm detector is inoperative.
To only allow encryption systems with well-known backdoors to hit the commercial world. Reserve the military grade stuff for those aligned with governments dedicated to goodness and niceness, not badness and evilness, like the U.S. government.
Oh wait. Make that Canada. Nobody distrusts the Canadians. Except for Sheriff Bud B. Boomer.
Canadians - they walk among us.
It may very well beg the question. It is not misusing language. The definition of "begs the question" that you are using is a misuse of language - specifically a mistranslation of Aristotle that dates from the 16th century. So, you are defending a 500 year old mistake.
Congratulations. You have just won the "ironic idiot" award for this story for decrying something as a mistake using an argument that is, in fact, a mistake.
Yes, it's a dumb question, but not because the answer is wrong.
It is a dumb question because:
1. It treats an assumption as a fact (the problem is serious)
2. It assumes that open source is any better for rootkits
3. It assumes the only active defense is related to rootkits
All wrong, or not proven facts. The problem may or may not be serious. Most Windows rootkits aren't rootkits. They don't patch the kernel, but simply hide processes from the process list and netstat. That's analogous to patching ps/ls/netstat on a *nix box. Like *nix, there are plenty of other tools out there to get this information. The ability of *nix rookits to modify the kernel itself is much more of a danger.
Windows being closed source code has nothing to do with rootkits. It's simply a lack of information for both the good guys and the bad guys. Hence, it's a lose/lose. The ability to build a kernel that CAN'T support loaded modules is a big advantage to *nix, but that has nothing to do with *nix being open source.
One can actively defend their windows systems against rootkits. Use file integrity checkers like tripwire. Use distributed log consolidation servers - they had to get in somehow before the kit got installed, and a rootkit won't wipe log entries on another server. Use other tools from sysinternals and other places to look for hidden processes and files. Heck, install cygwin for crying out loud and use ls/lsof!
So yes, it is a dumb question. And the answer is - "ask the right question - why can't we customize our windows kernel to prevent any possible rootkit from messing with it?"
Eslyjah, I think projecting back 10 years to dial-up isn't providing you with the data necessary to make a valid determination. You'd be better off looking 5 years into the past.
5 years ago, the year 2000, most people had already begun the switchover to broadband. Heck, I've had broadband for about 7 years, and I wasn't an early adopter. At that time, my speed was about 1 meg over a cable modem for 35 dollars a month.
Performing the same calculations, I get an easy differential of 3.5, hardly the 6 you've assumed for a 5 year period. That's the challenge with looking too far behind. So for the NEXT 5 years, if prices are cheaper by a factor of 3.5, that's 15Mbps for $40 a month.
Assuming Jupiter's projections are correct, a WiMAX/802.11b implementation showing a benefit of $25/month for private users at 10Mbps is a 4x improvement, which is in line, if not slightly ahead, of a 5 year to 5 year projection. Toss in the modem holdouts in 2000, and the numbers are still in line.
Of course, past performance is no indicator of future results, which is why all of these are castles built on sand.
All time favorite: MonkeyCheesePants - Funny, but hopefully no more than that - I wouldn't want to know. Runnerups: Bring beer for password (university campus) nowerenotStarbucksmovealong - near a coffee shop