I couldn't agree more and we are not the only ones saying such. Redmond magazine, among others, is pounding on this point repeatedly. I do like complex passwords but what I say to people is to pick a passphrase and use the first letter (capitalization included) of the passphrase and include punctuation. Amazing how many people get it right off the bat and can type it a lot easier than remembering some idiotic combination generated by IT or off the cuff by themselves. I also set "password never expires" on my networks and if DOD had any intelligence, they'd see what the combination of the two can be secure if the password is never written down. Breeches usually occur because of one of two things: social engineering or a password in an accessible location.
BTW, I have exactly three passwords that I have been using since the late seventies. The first, very easy to type, is for stuff that is totally non-valuable (Hotmail/Live Mail accounts, etc.). Number 2 is more complex but still fairly easy to type for database sa/admin accounts. The last, my domain/enterprise sysadmin accounts is a nightmare but since I never have to change it, rarely use it, and even l0phtcrack can't get it on my warp-speed machine here in well over seventy-two hours (at which point I gave up), it's definitely secure. And yes, I do log all accesses and check them daily to monitor.
There is rational IT policy which has been through (intensive) systems and economic analysis (fortunately I have worked in and managed to combine both) and there is made up policy which sounds rational but when closely examined yields unintended consequences. Hmmm..., sounds a lot like our respective governments, neh?
Even better will be when the whole thing becomes rational and true passphrases can be used.
No, if it isn't in the job description then it isn't my job. Firing me over it will result in a wrongful termination lawsuit so fast it would make their head spin although I wouldn't be interested in any financial rewards in my case, just a slap in their face to remind them of the law. That isn't to say I couldn't handle that situation if it should arise and someone said "pretty please, if you could help me out...", I probably would do it. I do have the tools should such arise (although I suspect they are illegal now). Any good sysadmin accumlates such tools, like lint, if they want to keep their sanity. Lord knows I've forgotten passwords simply by gettng in a hurry or, even worse, mistyping the same erroneous password twice.
"well.. are you going to refuse someone who can fire your ass?"
In a word? Yes. I always made it abundantly clear that I would not change my policies for anyone, not even God should (s)he magically appear in front of me. Actually, it's earned me quite a bit of respect for my integrity. There are more than a few extremely senior (ya know, the guys with the stars on their uniforms) that have felt the lash of my tongue. Not a single bit of retribution ever came back my way.
Frankly, it's been the wimpy-ness of CSO's, CIO's, and related people that have gotten the whole IT field into the mess we are in today, not Microsoft or anyone else. A craftsman who blames his tools or the maker of his tools in a fraggin' incompetant craftsman, in my not so humble opinion. That goes equally if their methods/procedures are suspect.
While I most certainly am (one of?) the leading candidate(s) for most security conscious (paranoid more line) around here, jsut witness my bastion defense reply up above, many of the Virtual Player images are from the groups/companies that make the product. Others are contributed by people I know of, if not know, from the virtualization scene. Actually I'd be more worried about some major distro server being hijacked/cracked than someone surreptitiously slipping a trap-doored or back-doored VP image upload on VMWare. Ooops, already happened. Again!
If you are as paranoid as I am, roll your own from GenToo, but make sure that your source if authenticated (gpg/pgp signed at the least).
Thankfully I never was since I was introduced to computing, by IBM System Engineers and Administrators, at the tender age of ten back in the punch-card days. Virtualization is far from the only concept to migrate from IBM mainframes (I/O processors, coprocessors,... anyone?). Makes me glad that I spent so much time with them, reading all the manuals religiously, and that they were willing to explain it to some kid given free run of the computing center.
Of course, times have changed and more than a little bit. Now it's hundreds to thousands of guest machines but fortunately most of the tools have scaled up as well, err... almost as well. Oh heck, the tools need more than a little work to catch up. We'll get there on the SysAdmin side (or all commit seppuku).
Here, Windows 2000 Advanced Server and Windows Server 2003 Enterprise
are
considered fairly serious operating systems, especially the latter. VMWare is not used here to apply your one app/one server rule at all. Instead it is about two overarching factors:
(1) Redundancy. Should the host machine fail, it is a simple matter of loading the various VM's onto another host. I even have a collection of master virtual hard drive images on DVD-ROM here to restore from so it isn't any big deal if a major disaster strikes. I'm out the door with the master DVD's and my data backups [and there is another set far, far away with hardware already standing by]. Practically any relatively new collection of whiteboxes will do to get me back up and running and that was a major selling point to others especially after Katrina. I also don't buy into the stability problem that the arrogant elite assert. Stability is seldom a problem here and the two times that it became a problem, hardware was the failing component. The only reason to reboot I have these days, short of outright hardware failure, is for the idiotic WindowsUpdates. Even those are scheduled by me, not Microsoft. Every patch gets tested both here and in the court of geek opinion before the patch goes in and that testing is done, you guessed it, on various VM's with suitable configurations. Having been burnt once by Microsoft on a patch was once too many times, thankfully I never allow production machines to automagically install or even download them. Given the other defenses here, frankly I'm not that worried about the 0-day of the month anymore, which gets me to my second point.
However, that's just all icing on my cake here. The cake that is hiding under all that icing is solid granite. This is what I call my bastion defense as I've mentioned in passing in one of these VMWare articles before. The major defense is that the machines that make up the network of "machines" and "clusters" is heterogeneous. It isn't just a mix of Windows machines, it is a mix of Windows, various flavors of Linux (RHEL 9, Novell/SuSe Enterprise 9, FreeBSD, Ubuntu desktops), and a few other oddballs (a guy needs some secrets) out there any one, or several, of which can be real or virtual. Just as there are real and virtual "networks." Just as there are external firewalls, numerous internal firewalls, and the whole setup is wired-up like a pinball machine for monitoring, IDS, and IPS. And, of course, there are a few honey-pots out there to keep the whole thing attractive once I do get a live one wandering about "in a maze of twisty passages, all alike." That heterogeneity allows me to play to the various strengths and weaknesses of each of the elements that make up this moat-surrounded, layers upon layers of walls, mazes, and more than a few (tar) pits, "murder holes", spys, attentive guards, and should you win through that all you have to cope with the dragon. Me. {Picking teeth with a long-sword.}
If the unthinkable should happen and one of the production servers gets cracked (hacked), well it's still no big deal. All the serious players here, *nix to Windows, save the databases which use a different design architecture, are all hosted virtual machines whose state is regularly snapshotted. I may lose a few hours of DNS, DC, or whatever changes/updates, but yon cracker is going to find that network that he just mapped no longer follows the same map. That is yet another of the contingency plans here as well as identifying the failure point(s). Jigger everything around and totally screw them up.
Am I paranoid enough? I don't think so. Then again, I haven't had a single machine taken out by a virus, worm, cracker (hacker), or malware since 1989 despite some of the crazy places I go to and the crazy things I do. And that was on mi Amiga when I was the person responsible for ensuring that all the CompuServe uploads were safe (and worth downloading back when usage fees really meant something!). I consider VM technology to be my S
Since so much of my work of the last few years has revolved around systems (physical/network/computer) security, I spend quite a bit of time doing walkabout in the underground community. Running on a virtualized machine is ideal for this purpose since, as you said, you just whack the current session when you are done and boot from the safe snapshot. However this isn't typical home use. What is typical home use is to have the kiddies on the computer and, again, having them run under a VM is just as ideal unless they are playing demanding (D3D) games. If something goes on the fritz, whack the current session and load the prior snapshot(s) until things work right. I've lost track of how many calls I get asking me to come out and fix machines that the kids, and far too often some adult, has mangled by going to the wrong place or installing the wrong thing. Not only do they want me to unmunge/restore the machine, they want me to prevent a recurrance. This solution does tend to mitigate the problem quite a bit once you explain it correctly. I wouldn't be surprised to see it incorporated in some future version of whatever M$ and every one else comes up with next. Sort of like what another article ("A Closed-Off System?") posted in today's mail message was asking. Have a hardware-level write-protected host and who cares what you do to the various guests. Hell, each user could have their own custom-tailored guest with (most) every OS out there to suit their desire/needs.
To a limited extent M$ does. They revised the license terms for Windows Server 2003 Enterprise and Datacenter Release 2 editions. For those versions, you can have as many inactive virtual installations as you desire although for Enterprise you are limited to only having four installations active (running) at any one time. For Datacenter, as if we could afford the hardware/software combo {snort}, you can have as many active as you can run. The four simultaneously running installs for Enterprise is one reason I'm thinking of getting the new action pack once all the pieces are in place as I play with more than a few what/if scenarios here.
I was not addressing the piracy question. I refuse to pirate anything, but as a software engineer, among other many other things, you'd expect that. What I was adressing was the question of why you would use Win'98 even after it became abandonware. It still has uses, just not cutting edge uses anymore.
Actually I have quite a few software packages (and of course games) that simply will not run under WINE, Crossover Office, or XP/Vista for that matter. True, they are quite specialized, but I am not alone in not seeing a reason to switch to anything else for those particular software packages just as the typical Win'98 user will not either. A good part of the consulting that I do around the local region in my now copious spare time is for home and small to medium business users/owners. They simply aren't upgrading now will they until the machine literally dies totally. Instead I get called in to keep them going using my mound of older parts. This despite the fact that it would have been cheaper, after what they gift me (I don't charge), over time. Hell, one of my machines here is still running Windows for Workgroups 3.11 for the simple fact that I still encounter them from time to time and I need to refresh/validate what I know before making changes to the owner's machine(s).
There is also the problem of data migration. This is a huge problem for SMB's and to a lesser extent some home users. I've become quite adept at migrating such data from package to package, but many firms are simply not interested. They live by the maxim "if it ain't broke, don't fix it", which I quite understand.
It's funny that every time some little thing changes at Microsoft, this will somehow be the magic wand that will leverage Linux on to the desktop [which isn't WTFA said anyway]. In their dreams, sad to say.
Damn straight. It's not just the installers, dependency hell can give novices, hell gives me serious nightmares, especially if they are using dial-up which most of these users are. Frag, these installers are still problematic for even people that know what they are doing, which I do.
And yet another advantage of running it under a virtual machine is if the VM gets trashed by a virus, worm, whatever, I simply restore from my original snapshot and move on, not that I use it on the 'net much anyway. I've moved to this approach for XP as well for the same reason.
This is not addressed specifically at you, although it really applies here. When the Founders created the Constitution, it was with with the notion of Citizen-Legislators. We have deviated from that significantly, but the principle still stands in some respects. No legislator, and I mean NO legisator can be expert in all areas which will come under his/her perview, period. I'm a polymath and come from a family of polymaths. I'm among a few dozen, if that, smartest people on the planet. My idea of a good time is completing the works of Tesla. This isn't bragging, this is fact. I'm qualified and have worked in almost every one of the hard science disciplines, all the engineering disciplines, all of the social science disciplines, and a hell of a lot of other jobs besides (I can fight a warship or battlegroup in combat, can you?). All of it before the age of 30. Heck, I've been working professionally since the age of 12.
What fucking senator is going to match that? I can't think of any, and I can't think of any including myself that can even be elected. So this guy screwed up in his terminology, what a big fucking surprise. I could drag you over to one of my fields of interest and you wouldn't have a clue about what is going on, let alone what the terminology meant. There are a bunch of elitist people here that assume that if you make Congress-critter status, let alone Senator status, that somehow makes you God. You are omniscent. Sorry, but the facts of life are that you aren't. Despite all the people whispering in your ear that you are, you are human. There are only a few that edge towards that domain and none of them, so far as I can tell, near it. Not even myself. I only see the hand of whatever God there is out there in the magic of the structure of the universe.
As another poster pointed out, the internet today functions almost entirely in a marketplace paradigm. As I well know, economics being one of my areas of expertise, most citizens and 99% of our Congress-critters, it seems, have zero understanding of the marketplace. Your metaphor is quite useful in some ways to at least explain some of the basic concepts and I'll have to add it to my toolbox here. Thank you.
I have no problem with most of what you said since it is a last mile problem from the standpoint of the customer. Given that we do have a duopoly in almost every market at the customer level, I wouldn't be opposed to a regulatory structure ala the German system until something resembling a competitive market should arrive (about when hell freezes solid IMNSHO). I find it more than a little hilarious that our officials broke up AT&T only to see it rebuild itself under new governance. Talk about unintended consequences (or, for the conspiracy theorists, perhaps entirely intended!).
I still think that if the telecomms are granted their wish, they will see some very unintended consequences as the marketplace adjusts to the new reality. What they will be we will just have to watch it play out.
I'm not trying to dazzle anyone with brilliance. You are missing the entire point which is that we have terminology and vocabulary for each and every field of endeavor, social grouping, etc. ad nauseum so it is not surprising when someone who is not a member of that group just plain gets the terms wrong. I've been teaching for some thirty plus years now and I've found that most of the struggle that students have is with the terminology. I can usually get the conceptual framework across but new terms tend to throw them every time. Far more with, say, economics or the other social sciences than, say, electronics or some of the sciences. Hell, it's the same with cliques. I have a real problem even understanding what kids today are even saying or some of the real geek terms here. When I started out in computers, on an IBM-360/150 (on punch cards no less!) way back when, we didn't have terms like n00b. Some of the shorthand here I still don't get. So I am not in the least bit surprised when a Senator gets it wrong even with aides to explain it all, if they can even explain it of which I also have doubts. I don't think they get it either.
So the guy says tubes when he really means pipes. Given that his generation didn't even have an internet, at least he got somewhere in the ballpark. Every profession, group, or clique has it's own terminology and it isn't surprising when a non-member mangles the terms. If you are polite, which this group obviously is not, you politely correct the individual and explain what is meant by the term. Given that pipes as a term bears zero relationship to the actual hardware, he actually did damned good in my not so humble opinion. As a teacher/professor in multiple fields, I can easily switch to vernaculars which would leave most of this audience gasping for breath, or at least grasping for Wikipedia if the terms are even in there. I try to avoid that or explain paranthetically what I mean.
As for the issue at hand, he isn't far off the mark although I think Congress is totally ill-equipped to address the issue just as they were ill-equipped to address the SPAM issue. Frankly I think the market should decide. If the telecomm providers try to double-tap the content providers they will more than likely get a very rude shock when the large content providers purchase, if they don't already have it (Google}, dark fiber, fire it up, and do an end run around the telecomms industry. It wouldn't be hard for the larger providers to do so and with cross-trading capacity agreements, they could probably do a better job, cheaper, actually. Then the telecomms providers wouldn't have a basis for complaint at all. All that excess capacity they already have to handle peak traffic would just sit there, not earning them a dime on their capital investment. Couldn't happen to nicer people (SBC anyone?).
Off-topic but not off-reply. There are legitimate uses for tools such as Daemon-Tools. After buying my fourth set of Diablo II/LoD CD's, I got more than a little irritated and that is not the only copy protected game that I have had to replace over the years. Now I use Daemon-Tools and play from an image file on my hard-drive and if Blizzard or anyone else doesn't like it, tough. They have enough of my money already. I do not pirate.
I'm not surprised that Daemon-Tools doesn't work though on Wine given that it is a kernal level driver. There is a way around that if you can use iSCSI. Use a iSCSI initiator on the Linux side and something like StarWind on the Windows side to present the Daemon-Tools virtual CD to Linux. It'd be very weird, but it would work. [Why you would want to do that, I have no idea unless you have no, or s-l-o-w, Windows boxen and are running Daemon in a VM. REAL weird!]
I don't know why this is rated funny 'cause this is precisely what many (hell, most!) companies use as their policy today. Just ask any serious security professional and they will tell you the same.
I get damn near all the industry publications that exist and the advertisements in them, as well as more than a few articles, encourage the belief in that magical amulet of security +5. As we both know, security is a process, or actually a collection of processes. I like to think of it as consisting of three items:
Security by design - security has to be engineered into the design from the very beginning, not tacked on after the fact.
Security by policy - policies must be put in place and enforced to ensure that security is not breached by personnel/users.
Security by audit - continuous audits, and here is where software tools, hardware such as intrusion detectors, etc. come in, must be conducted to ensure that the design and policies are effective.
It's hard to get it right, especially since you face constraints such as time, budget, personnel, and executive buy-in. You will have to conduct serious risk assessments to determine what your priorities are and present them in an effective manner ("hey, id10t exec, you could go to prison over this" does work!) to the CxO's. You'll also have to put the policies in easy to understand formats for personnel, i.e. don't bother explaining the why's and wherefores of a policy, just give people the policy and what will happen (i.e. bye-bye!) if it is violated. Offer amnesty for reporting policy violations. These are only a few things that come immediately to mind.
Scripts/software tools (compliance validators for instance) are all well and good for the third part of the above formula but it is only a small part of the picture.
No, they have a web front-end which you can access via HTTP or HTTPS. Weird, but I've seen it work. Personally, I'll use NNTP every time, but I have nothing to hide.
The problem I see here is that you'll only catch the stupid pedophiles. Those that use encryption, VPN's, or even HTTPS in their transmissions aren't going to be caught by this method. For instance, I know of several newsgroups services that allow HTTPS or other forms of secure login and transmission. Still, even catching the stupid ones is a start.
One thing does worry me though and that is that the RIAA, MPAA, and other special interest groups will similarly request and obtain such fingerprint screening. While I don't hold with violating intellectual property rights, I similarly don't hold with using police powers to enforce such rights. The state has far better things to do with their enforcement dollars, like go after pedophiles and other felony offenders, than enforce IP. Civil suits/courts are the venue for that.
I'm not a VMware employee. I don't work in marketing. Please hurt me (I kinda like it).
I agree. I've been testing VMWare programs since v1.x and ditto for MS Virtual Server. No contest between the two. If you want to do server consolidation, development testing, or in my case network security simulations. you can't beat VMWare. Much faster for all versions, whether workstation, GSX (Server now), or ESX as against Virtual Server and the interface is a definite thrill as against something that causes you to pound your head against the nearest wall. Ditto performance. And you can't beat the price of VMWare Server as against VS2005 R2 in terms of performance, reliability, and ease of use. Those are serious considerations when cost is no longer a factor. When you do become serious about consolidation, ESX blows VS2005 R2 away. Sorry, MS, go back to the drawing board but be aware that VMWare ain't sitting on its laurels. Thank God.
And I quite disagree. As someone that can design and build these things from raw sand, I don't really think you realize what the PS3 is about. It is NOT just a game console. Sure, you can just buy it for that and if that is all you want out of such a device, why not just go with the X-box 360 which is at a cheaper price-point and a lesser capable machine/device. Nooo... what the PS3 is about is the central focus of a home entertainment center. As such, it eats an X-box 360, or Revolution, for breakfast. Not only does it do the gaming console experience well, if you take advantage of the separate calculation engines, it does multiple HDTV streams managably as well, in multiple split streams. True, you need a seriously multitasking brain to handle 16 decode streams simultaneously, but that's a channel surfers dream in my not so humble experience.
Actually, it's on my shopping list here as a home entertainment system with major TIVO like features as well as the Blu-Ray feature. True, I'd like it as a writer, but that's down the road. However sobeit, that's the feature I'm looking for here. I don't do FPS, I'm incompetant in that regard due to nerve damage. Give me those other features that I'd have to pay major money for here to add to my main machine, which has other purposes here (read beta testing the next stuff down the line) and I'll be happy.
Then again, ya'll know I'm already crazy here givin' my past posting about how and what I use my machines for. Someone's gotta be crazy to abuse machines this way though;-).
Actually I do all the time and in all the years I've been using Windows, I've never caught any spyware, malware, or virii. Why? Well, for one I don't do anything stupid. Send me an attachment I didn't ask for and poof! I kill it in the mailbox on my servers in Dallas before it hits my network and for good reason. Even *nix can be infected via that vector, let alone the Windows machines. Even attachments I ask for get saved, not opened on arrival, and then scanned, examined, folded, spindled, and if necessary, mutilated.
I also use a web proxy (among the other things this tools does) that filters out all active content in the HTML unless I specifically set the site up differently. It's totally configurable about what can happen in both directions. Tack on reverse DNS so I know where a link will take me helps a lot there as well. Too many users are willing to click their way right into this kind of problem. That does not happen here.
Next, the whole registry and all system files are protected. Not a single entry or file can be changed without my permission; an early hack that I came up with long before WFP (which is still lame, even today). It's annoying when a major update occurs but at least I know what changes are being made to my system and why. The last thing up on the plate is network monitoring/logging so I know the gozintas and gozoutas and who they are from/to here.
You can be proactive about security, not reactive which is what OneCare is in my not so humble opinion, but it requires work. Aside from the various hardware solutions I've seen, and one *nix implementation, you have to roll your own solutions. You also have to monitor the security mailing lists religiously to make it all work. [Donning asbestos underwear.] If you are not monitoring those lists, and I don't give a rat frag which OS/applications/whatever you are using, you are setting yourself up for a fall. OX/X has security problems, Linux/Unix/Solaris/BSD have security problems, Windows has security problems, and all of them has security problems in the arena of applications. If you don't believe me, go over to a site like SecurityFocus.com and sign up for the mailing lists. Be prepared to be buried each and every day.
As for citing the problems of Windows XP non-SP1/SP2 connecting to the 'net, sheesh. Anyone who does that deserves everything they get. SP2 goes on before the machine goes on the 'net. Always. And everyone knows, in my region, that if you need a reinstall, I'll come by and do it for free. It also gives me a chance to harden their system with my collection of free tools I've rounded up over the years. This is a war and I'm a volunteer in that regard.
Slashdot Mirror
BTW, I have exactly three passwords that I have been using since the late seventies. The first, very easy to type, is for stuff that is totally non-valuable (Hotmail/Live Mail accounts, etc.). Number 2 is more complex but still fairly easy to type for database sa/admin accounts. The last, my domain/enterprise sysadmin accounts is a nightmare but since I never have to change it, rarely use it, and even l0phtcrack can't get it on my warp-speed machine here in well over seventy-two hours (at which point I gave up), it's definitely secure. And yes, I do log all accesses and check them daily to monitor.
There is rational IT policy which has been through (intensive) systems and economic analysis (fortunately I have worked in and managed to combine both) and there is made up policy which sounds rational but when closely examined yields unintended consequences. Hmmm..., sounds a lot like our respective governments, neh?
Even better will be when the whole thing becomes rational and true passphrases can be used.
No, if it isn't in the job description then it isn't my job. Firing me over it will result in a wrongful termination lawsuit so fast it would make their head spin although I wouldn't be interested in any financial rewards in my case, just a slap in their face to remind them of the law. That isn't to say I couldn't handle that situation if it should arise and someone said "pretty please, if you could help me out...", I probably would do it. I do have the tools should such arise (although I suspect they are illegal now). Any good sysadmin accumlates such tools, like lint, if they want to keep their sanity. Lord knows I've forgotten passwords simply by gettng in a hurry or, even worse, mistyping the same erroneous password twice.
In a word? Yes. I always made it abundantly clear that I would not change my policies for anyone, not even God should (s)he magically appear in front of me. Actually, it's earned me quite a bit of respect for my integrity. There are more than a few extremely senior (ya know, the guys with the stars on their uniforms) that have felt the lash of my tongue. Not a single bit of retribution ever came back my way.
Frankly, it's been the wimpy-ness of CSO's, CIO's, and related people that have gotten the whole IT field into the mess we are in today, not Microsoft or anyone else. A craftsman who blames his tools or the maker of his tools in a fraggin' incompetant craftsman, in my not so humble opinion. That goes equally if their methods/procedures are suspect.
If you are as paranoid as I am, roll your own from GenToo, but make sure that your source if authenticated (gpg/pgp signed at the least).
Of course, times have changed and more than a little bit. Now it's hundreds to thousands of guest machines but fortunately most of the tools have scaled up as well, err... almost as well. Oh heck, the tools need more than a little work to catch up. We'll get there on the SysAdmin side (or all commit seppuku).
considered fairly serious operating systems, especially the latter. VMWare is not used here to apply your one app/one server rule at all. Instead it is about two overarching factors: (1) Redundancy. Should the host machine fail, it is a simple matter of loading the various VM's onto another host. I even have a collection of master virtual hard drive images on DVD-ROM here to restore from so it isn't any big deal if a major disaster strikes. I'm out the door with the master DVD's and my data backups [and there is another set far, far away with hardware already standing by]. Practically any relatively new collection of whiteboxes will do to get me back up and running and that was a major selling point to others especially after Katrina. I also don't buy into the stability problem that the arrogant elite assert. Stability is seldom a problem here and the two times that it became a problem, hardware was the failing component. The only reason to reboot I have these days, short of outright hardware failure, is for the idiotic WindowsUpdates. Even those are scheduled by me, not Microsoft. Every patch gets tested both here and in the court of geek opinion before the patch goes in and that testing is done, you guessed it, on various VM's with suitable configurations. Having been burnt once by Microsoft on a patch was once too many times, thankfully I never allow production machines to automagically install or even download them. Given the other defenses here, frankly I'm not that worried about the 0-day of the month anymore, which gets me to my second point.
However, that's just all icing on my cake here. The cake that is hiding under all that icing is solid granite. This is what I call my bastion defense as I've mentioned in passing in one of these VMWare articles before. The major defense is that the machines that make up the network of "machines" and "clusters" is heterogeneous. It isn't just a mix of Windows machines, it is a mix of Windows, various flavors of Linux (RHEL 9, Novell/SuSe Enterprise 9, FreeBSD, Ubuntu desktops), and a few other oddballs (a guy needs some secrets) out there any one, or several, of which can be real or virtual. Just as there are real and virtual "networks." Just as there are external firewalls, numerous internal firewalls, and the whole setup is wired-up like a pinball machine for monitoring, IDS, and IPS. And, of course, there are a few honey-pots out there to keep the whole thing attractive once I do get a live one wandering about "in a maze of twisty passages, all alike." That heterogeneity allows me to play to the various strengths and weaknesses of each of the elements that make up this moat-surrounded, layers upon layers of walls, mazes, and more than a few (tar) pits, "murder holes", spys, attentive guards, and should you win through that all you have to cope with the dragon. Me. {Picking teeth with a long-sword.}
If the unthinkable should happen and one of the production servers gets cracked (hacked), well it's still no big deal. All the serious players here, *nix to Windows, save the databases which use a different design architecture, are all hosted virtual machines whose state is regularly snapshotted. I may lose a few hours of DNS, DC, or whatever changes/updates, but yon cracker is going to find that network that he just mapped no longer follows the same map. That is yet another of the contingency plans here as well as identifying the failure point(s). Jigger everything around and totally screw them up.
Am I paranoid enough? I don't think so. Then again, I haven't had a single machine taken out by a virus, worm, cracker (hacker), or malware since 1989 despite some of the crazy places I go to and the crazy things I do. And that was on mi Amiga when I was the person responsible for ensuring that all the CompuServe uploads were safe (and worth downloading back when usage fees really meant something!). I consider VM technology to be my S
Since so much of my work of the last few years has revolved around systems (physical/network/computer) security, I spend quite a bit of time doing walkabout in the underground community. Running on a virtualized machine is ideal for this purpose since, as you said, you just whack the current session when you are done and boot from the safe snapshot. However this isn't typical home use. What is typical home use is to have the kiddies on the computer and, again, having them run under a VM is just as ideal unless they are playing demanding (D3D) games. If something goes on the fritz, whack the current session and load the prior snapshot(s) until things work right. I've lost track of how many calls I get asking me to come out and fix machines that the kids, and far too often some adult, has mangled by going to the wrong place or installing the wrong thing. Not only do they want me to unmunge/restore the machine, they want me to prevent a recurrance. This solution does tend to mitigate the problem quite a bit once you explain it correctly. I wouldn't be surprised to see it incorporated in some future version of whatever M$ and every one else comes up with next. Sort of like what another article ("A Closed-Off System?") posted in today's mail message was asking. Have a hardware-level write-protected host and who cares what you do to the various guests. Hell, each user could have their own custom-tailored guest with (most) every OS out there to suit their desire/needs.
To a limited extent M$ does. They revised the license terms for Windows Server 2003 Enterprise and Datacenter Release 2 editions. For those versions, you can have as many inactive virtual installations as you desire although for Enterprise you are limited to only having four installations active (running) at any one time. For Datacenter, as if we could afford the hardware/software combo {snort}, you can have as many active as you can run. The four simultaneously running installs for Enterprise is one reason I'm thinking of getting the new action pack once all the pieces are in place as I play with more than a few what/if scenarios here.
I was not addressing the piracy question. I refuse to pirate anything, but as a software engineer, among other many other things, you'd expect that. What I was adressing was the question of why you would use Win'98 even after it became abandonware. It still has uses, just not cutting edge uses anymore.
There is also the problem of data migration. This is a huge problem for SMB's and to a lesser extent some home users. I've become quite adept at migrating such data from package to package, but many firms are simply not interested. They live by the maxim "if it ain't broke, don't fix it", which I quite understand.
It's funny that every time some little thing changes at Microsoft, this will somehow be the magic wand that will leverage Linux on to the desktop [which isn't WTFA said anyway]. In their dreams, sad to say.
Damn straight. It's not just the installers, dependency hell can give novices, hell gives me serious nightmares, especially if they are using dial-up which most of these users are. Frag, these installers are still problematic for even people that know what they are doing, which I do.
And yet another advantage of running it under a virtual machine is if the VM gets trashed by a virus, worm, whatever, I simply restore from my original snapshot and move on, not that I use it on the 'net much anyway. I've moved to this approach for XP as well for the same reason.
What fucking senator is going to match that? I can't think of any, and I can't think of any including myself that can even be elected. So this guy screwed up in his terminology, what a big fucking surprise. I could drag you over to one of my fields of interest and you wouldn't have a clue about what is going on, let alone what the terminology meant. There are a bunch of elitist people here that assume that if you make Congress-critter status, let alone Senator status, that somehow makes you God. You are omniscent. Sorry, but the facts of life are that you aren't. Despite all the people whispering in your ear that you are, you are human. There are only a few that edge towards that domain and none of them, so far as I can tell, near it. Not even myself. I only see the hand of whatever God there is out there in the magic of the structure of the universe.
As another poster pointed out, the internet today functions almost entirely in a marketplace paradigm. As I well know, economics being one of my areas of expertise, most citizens and 99% of our Congress-critters, it seems, have zero understanding of the marketplace. Your metaphor is quite useful in some ways to at least explain some of the basic concepts and I'll have to add it to my toolbox here. Thank you.
I still think that if the telecomms are granted their wish, they will see some very unintended consequences as the marketplace adjusts to the new reality. What they will be we will just have to watch it play out.
I'm not trying to dazzle anyone with brilliance. You are missing the entire point which is that we have terminology and vocabulary for each and every field of endeavor, social grouping, etc. ad nauseum so it is not surprising when someone who is not a member of that group just plain gets the terms wrong. I've been teaching for some thirty plus years now and I've found that most of the struggle that students have is with the terminology. I can usually get the conceptual framework across but new terms tend to throw them every time. Far more with, say, economics or the other social sciences than, say, electronics or some of the sciences. Hell, it's the same with cliques. I have a real problem even understanding what kids today are even saying or some of the real geek terms here. When I started out in computers, on an IBM-360/150 (on punch cards no less!) way back when, we didn't have terms like n00b. Some of the shorthand here I still don't get. So I am not in the least bit surprised when a Senator gets it wrong even with aides to explain it all, if they can even explain it of which I also have doubts. I don't think they get it either.
As for the issue at hand, he isn't far off the mark although I think Congress is totally ill-equipped to address the issue just as they were ill-equipped to address the SPAM issue. Frankly I think the market should decide. If the telecomm providers try to double-tap the content providers they will more than likely get a very rude shock when the large content providers purchase, if they don't already have it (Google}, dark fiber, fire it up, and do an end run around the telecomms industry. It wouldn't be hard for the larger providers to do so and with cross-trading capacity agreements, they could probably do a better job, cheaper, actually. Then the telecomms providers wouldn't have a basis for complaint at all. All that excess capacity they already have to handle peak traffic would just sit there, not earning them a dime on their capital investment. Couldn't happen to nicer people (SBC anyone?).
I'm not surprised that Daemon-Tools doesn't work though on Wine given that it is a kernal level driver. There is a way around that if you can use iSCSI. Use a iSCSI initiator on the Linux side and something like StarWind on the Windows side to present the Daemon-Tools virtual CD to Linux. It'd be very weird, but it would work. [Why you would want to do that, I have no idea unless you have no, or s-l-o-w, Windows boxen and are running Daemon in a VM. REAL weird!]
I don't know why this is rated funny 'cause this is precisely what many (hell, most!) companies use as their policy today. Just ask any serious security professional and they will tell you the same.
It's hard to get it right, especially since you face constraints such as time, budget, personnel, and executive buy-in. You will have to conduct serious risk assessments to determine what your priorities are and present them in an effective manner ("hey, id10t exec, you could go to prison over this" does work!) to the CxO's. You'll also have to put the policies in easy to understand formats for personnel, i.e. don't bother explaining the why's and wherefores of a policy, just give people the policy and what will happen (i.e. bye-bye!) if it is violated. Offer amnesty for reporting policy violations. These are only a few things that come immediately to mind.
Scripts/software tools (compliance validators for instance) are all well and good for the third part of the above formula but it is only a small part of the picture.
No, they have a web front-end which you can access via HTTP or HTTPS. Weird, but I've seen it work. Personally, I'll use NNTP every time, but I have nothing to hide.
One thing does worry me though and that is that the RIAA, MPAA, and other special interest groups will similarly request and obtain such fingerprint screening. While I don't hold with violating intellectual property rights, I similarly don't hold with using police powers to enforce such rights. The state has far better things to do with their enforcement dollars, like go after pedophiles and other felony offenders, than enforce IP. Civil suits/courts are the venue for that.
I agree. I've been testing VMWare programs since v1.x and ditto for MS Virtual Server. No contest between the two. If you want to do server consolidation, development testing, or in my case network security simulations. you can't beat VMWare. Much faster for all versions, whether workstation, GSX (Server now), or ESX as against Virtual Server and the interface is a definite thrill as against something that causes you to pound your head against the nearest wall. Ditto performance. And you can't beat the price of VMWare Server as against VS2005 R2 in terms of performance, reliability, and ease of use. Those are serious considerations when cost is no longer a factor. When you do become serious about consolidation, ESX blows VS2005 R2 away. Sorry, MS, go back to the drawing board but be aware that VMWare ain't sitting on its laurels. Thank God.
Actually, it's on my shopping list here as a home entertainment system with major TIVO like features as well as the Blu-Ray feature. True, I'd like it as a writer, but that's down the road. However sobeit, that's the feature I'm looking for here. I don't do FPS, I'm incompetant in that regard due to nerve damage. Give me those other features that I'd have to pay major money for here to add to my main machine, which has other purposes here (read beta testing the next stuff down the line) and I'll be happy.
Then again, ya'll know I'm already crazy here givin' my past posting about how and what I use my machines for. Someone's gotta be crazy to abuse machines this way though ;-).
I also use a web proxy (among the other things this tools does) that filters out all active content in the HTML unless I specifically set the site up differently. It's totally configurable about what can happen in both directions. Tack on reverse DNS so I know where a link will take me helps a lot there as well. Too many users are willing to click their way right into this kind of problem. That does not happen here.
Next, the whole registry and all system files are protected. Not a single entry or file can be changed without my permission; an early hack that I came up with long before WFP (which is still lame, even today). It's annoying when a major update occurs but at least I know what changes are being made to my system and why. The last thing up on the plate is network monitoring/logging so I know the gozintas and gozoutas and who they are from/to here.
You can be proactive about security, not reactive which is what OneCare is in my not so humble opinion, but it requires work. Aside from the various hardware solutions I've seen, and one *nix implementation, you have to roll your own solutions. You also have to monitor the security mailing lists religiously to make it all work. [Donning asbestos underwear.] If you are not monitoring those lists, and I don't give a rat frag which OS/applications/whatever you are using, you are setting yourself up for a fall. OX/X has security problems, Linux/Unix/Solaris/BSD have security problems, Windows has security problems, and all of them has security problems in the arena of applications. If you don't believe me, go over to a site like SecurityFocus.com and sign up for the mailing lists. Be prepared to be buried each and every day.
As for citing the problems of Windows XP non-SP1/SP2 connecting to the 'net, sheesh. Anyone who does that deserves everything they get. SP2 goes on before the machine goes on the 'net. Always. And everyone knows, in my region, that if you need a reinstall, I'll come by and do it for free. It also gives me a chance to harden their system with my collection of free tools I've rounded up over the years. This is a war and I'm a volunteer in that regard.