Given the low pressure, a visitor will still need a space suit. Keeping warm in a space suit is not a problem. It's getting rid of the heat produced by the person. This is typically done with a sublimator that uses a water to ice transition to remove heat. This only works well if there is a hard vacuum. The alternative of a closed loop refrigerant system adds weight. This presents interesting design problems given the probable weakened state of an astronaut after a trip to Mars.
Does anyone sell small quantities of onetime password tokens that are compatible with the OATH standard and allow the shared secret to be loaded? Every token I have looked at required the use of a custom server and all kinds of licensing.
I like the idea of using two nics. Hardware separation is good. I've recently had problems with application firewalls allowing stuff to sneak out so virtualization and separate ports would be an improvement.
I'm assuming that the SAN could run on the virtual hardware vs. a separate device. Given the low cost of small SANs, I guess this wouldn't be necessary.
I don't know anything about the implementation of WSUS. It would be good if the saved updates were signed in some manner so a compromised external WSUS could be stopped from propagating contaminated files to the internal systems.
Now if only the MS Vista virtual server licensing issues get worked out. Better yet, it would be nice if WSUS was open and could run on other operating systems.
I really dislike opening the firewall to ActiveX just for Update to run. I guess I need to learn more about WSUS
Thanks for your comments. I have thought about using WSUS to distribute patches but I'm back to the problem of having to open http/https to some unknown Microsoft address. That would be OK if the addresses were static and I could wire those IP addresses into the firewall. WSUS would push the problem to a single system. That is certainly easier to manage. I like the idea of relaying patches through an email portal from a deployment and testing network. This works for larger sites but isn't cost effective for small customers.
I guess I'm just a little frustrated by all the software that phones home for updates and never documents what ports or protocols are required. Thanks again.
I frequently read advice (and act on it) to firewall unnecessary ports. For example, only allowing some ICMP, DNS and port 25 for a mail server on a DMZ.
What can be done with MS Windows boxes, on a DMZ, that need Internet access to get updates?
Update applications frequently fetch data from a large number of destinations found either in a large DNS pool or they get redirected to caching servers.
It is almost impossible to get a list of these servers since they change all the time and are never documented. Every time I have tried to firewall outbound connections, it worked for a while and then failed when something outside of my control changed.
Is there a best practice for this problem? Adding an update server only moves the problem to that machine.
For most transactions, you only really need a private key shared with your credit card provider. Merchants could do the same and the problem is mostly solved without a PKI. We still might need to do this anyway. One time tokens anyone?
Generator advice: If you rely on a small gasoline generator for backup power, make sure you know where to find a fuel station that has backup power for the pumps.
I've heard of monitoring at Internet providers and even many years ago it was possible to drop in on calls from anywhere with the proper access rights.
I was wondering just how far the arm-twisting has gone and if it has reached into customer owned equipment that might otherwise protect sensitive communications. This would be closer to an undocumented back door vs. broadcasting the session key encrypted with a government key like with the clipper chip.
I can't help but wonder if cellular providers can already dump memory, turn on the mic. (OnStar?) and record local application key presses on all phones and networked PDAs. Anti-virus vendors probably need to add monitoring of battery current draw to detect "abnormal" activities.
I tend to agree with your assessment as to the limited attention that will be given a letter to a representative. In the past I have also received replies that were totally nonsensical.
What is the status of the bill, ghost written by the FBI, which requires equipment providers to install back doors?
Is it already too late? Has anyone evaluated cell phone/PDAs for back doors? For example, is there an API that allows the service provider to download my VPN shared secret. This would be a great research project.
I think we need a separate law that assigns unlimited liability to anyone installing back doors or requiring their installation. If our leaders could be held personally responsible for the consequences of their bills, maybe they wouldn't be so quick to pass them. I guess I'm dreaming that such a bill could pass.
I just send a note to my representative stating my displeasure with his vote and that I'd never vote for him again.
It's very hard to make a lock that will resist picking for more than a few minutes. A better solution is to hide the lock behind a panel that always sets off an alarm when removed. Then the pick time only needs to be longer than the security response time.
This lock uses Medeco blanks that are restricted so you won't be able to get extra keys. The keys are marked military property. This could get you in trouble in the wrong situation. Also the locks are so big that the holes on most hasps are too small to hang the lock. I believe the locks were originally used with a steel cover (not sold) that had a balanced magnetic sensor for setting off an alarm before the lock could be accessed.
It is insane to transport a laptop in checked luggage. There are a number of very good reasons. Batteries: I would much rather have burning laptops as carry on luggage where the problem can be quickly dealt with vs. in a cargo hold where the entire plane might be lost to a fire. Checked luggage is extremely abused. While doing telecom work in airports, I've seen handlers pull cases off of carts that were stacked higher than their heads and just let them drop to a concrete floor. I don't care how a laptop is packed; this kind of treatment could easily compromise the integrity of a battery pack. Is your case designed for a 2 m drop? Did the drop prime the battery for the next pressure change?
Anything with a high-energy battery: Cameras, Laptops, PDAs, and phones should be carry on only.
Data protection: Encryption is great but there are real industrial spies. Sensitive data should never be out of your reach in a plane or hotel. A key logger can easily take your password. You're a little better off if the key is on a smart card that is carried with your credit cards.
Theft: My last employer had a policy that you would be charged for lost laptops if they were lost from a car, hotel, or checked luggage. I've had gear taken from locked closets behind airport security. I hope you have a low deductible on your insurance if you check your laptop.
Flawed designs are so common. I've been there too. "You can't hash the passwords because it would be hard to test" or "Https won't be supported because certificates are hard to load and no one will see the basic authentication login". Sometimes is seems like everyone is conspiring to make bad systems. A perfect ID would probably be vetoed by agencies that don't want accountability.
A good user interface, on the inspector's terminal, can reduce the problem of being to lazy to compare the pictures. Have two keys: pictures match face or they don't. A random false picture from a cache can be occasionally displayed. If the inspector enters OK, a big booming voice says you're fired. If No is entered, the correct picture is loaded and the inspector can check again.
Is WiFi even usable in a codo complex? I have a client who gave up on 802.11b/g. It worked for a few years but now there are about 20 AP at any time and it is totally unusable.
I just purchased two Nokia E61 phones. I'm generally happy with the product especially the WiFi support and lack of a camera. The price and documentation could be better. I am currently having problems with getting the VPN client to work. The device seems to require a Nokia NSSM policy server to deliver the IPSec parameters. It lacks a user interface to manually enter the parameters. I'm upset enough about the required policy server that I probably won't ever use or specify a Nokia firewall. If anyone knows how to manually create and install a policy, I would appreciate a pointer.
With the DMCA and the broadcast flag it will be illegal to save a copy. So even after the broadcast rights expires in 50 years, copies will still be unavailable thus making copyrights perpetual constitutional or not. Just broadcast again in 49 years to get another renewal. If someone proves it's identical they must have violated the DMCA.
Someone I know was interviewing for a federal job. He was asked if he had sold his gun. A year earlier he had asked for pricing advice on a forum. Don't submit anything that you wouldn't want to see in the newspaper.
Should I use pgp/gpg with some type of plug-in or the s/mime ssl option built into many email clients?
Most people don't seem to want to install anything so I am leaning towards ssl but in the past I have had compatibility issues between Netscape/Mozilla and MS Outlook.
If I chose ssl, I need to pick a certificate authority. In the past I have made and importing my own CA into the browsers but I have had problems with certificate fingerprint differences between Thunderbird and Outlook. When the certificate fingerprints don't match, I'm left wondering if there is a man-in-the-middle or a software incompatibility. An active middle is unlikely - but my opinion is changing with current events.:-)
Slashdot Mirror
What is worse than getting caught taking notes in a clean room with a pencil?
Getting caught with an eraser.
Given the low pressure, a visitor will still need a space suit. Keeping warm in a space suit is not a problem. It's getting rid of the heat produced by the person. This is typically done with a sublimator that uses a water to ice transition to remove heat. This only works well if there is a hard vacuum. The alternative of a closed loop refrigerant system adds weight. This presents interesting design problems given the probable weakened state of an astronaut after a trip to Mars.
Does anyone sell small quantities of onetime password tokens that are compatible with the OATH standard and allow the shared secret to be loaded? Every token I have looked at required the use of a custom server and all kinds of licensing.
I like the idea of using two nics. Hardware separation is good. I've recently had problems with application firewalls allowing stuff to sneak out so virtualization and separate ports would be an improvement.
I'm assuming that the SAN could run on the virtual hardware vs. a separate device. Given the low cost of small SANs, I guess this wouldn't be necessary.
I don't know anything about the implementation of WSUS. It would be good if the saved updates were signed in some manner so a compromised external WSUS could be stopped from propagating contaminated files to the internal systems.
Now if only the MS Vista virtual server licensing issues get worked out. Better yet, it would be nice if WSUS was open and could run on other operating systems.
I really dislike opening the firewall to ActiveX just for Update to run. I guess I need to learn more about WSUS
Thanks for your comments. I have thought about using WSUS to distribute patches but I'm back to the problem of having to open http/https to some unknown Microsoft address. That would be OK if the addresses were static and I could wire those IP addresses into the firewall. WSUS would push the problem to a single system. That is certainly easier to manage. I like the idea of relaying patches through an email portal from a deployment and testing network. This works for larger sites but isn't cost effective for small customers.
I guess I'm just a little frustrated by all the software that phones home for updates and never documents what ports or protocols are required. Thanks again.
I frequently read advice (and act on it) to firewall unnecessary ports. For example, only allowing some ICMP, DNS and port 25 for a mail server on a DMZ.
What can be done with MS Windows boxes, on a DMZ, that need Internet access to get updates?
Update applications frequently fetch data from a large number of destinations found either in a large DNS pool or they get redirected to caching servers.
It is almost impossible to get a list of these servers since they change all the time and are never documented. Every time I have tried to firewall outbound connections, it worked for a while and then failed when something outside of my control changed.
Is there a best practice for this problem? Adding an update server only moves the problem to that machine.
For most transactions, you only really need a private key shared with your credit card provider.
Merchants could do the same and the problem is mostly solved without a PKI. We still might need to do this anyway.
One time tokens anyone?
Generator advice: If you rely on a small gasoline generator for backup power, make sure you know where to find a fuel station that has backup power for the pumps.
I've heard of monitoring at Internet providers and even many years ago it was possible to drop in on calls from anywhere with the proper access rights.
I was wondering just how far the arm-twisting has gone and if it has reached into customer owned equipment that might otherwise protect sensitive communications. This would be closer to an undocumented back door vs. broadcasting the session key encrypted with a government key like with the clipper chip.
I can't help but wonder if cellular providers can already dump memory, turn on the mic. (OnStar?) and record local application key presses on all phones and networked PDAs. Anti-virus vendors probably need to add monitoring of battery current draw to detect "abnormal" activities.
I tend to agree with your assessment as to the limited attention that will be given a letter to a representative. In the past I have also received replies that were totally nonsensical.
What is the status of the bill, ghost written by the FBI, which requires equipment providers to install back doors?
Is it already too late? Has anyone evaluated cell phone/PDAs for back doors? For example, is there an API that allows the service provider to download my VPN shared secret. This would be a great research project.
I think we need a separate law that assigns unlimited liability to anyone installing back doors or requiring their installation. If our leaders could be held personally responsible for the consequences of their bills, maybe they wouldn't be so quick to pass them. I guess I'm dreaming that such a bill could pass.
I just send a note to my representative stating my displeasure with his vote and that I'd never vote for him again.
October is going to be a long month.
A duel use key. What a great idea. Since politicians always get free stuff, they probably already have the key.
It's very hard to make a lock that will resist picking for more than a few minutes. A better solution is to hide the lock behind a panel that always sets off an alarm when removed. Then the pick time only needs to be longer than the security response time.
New microwaves have RFID scanners so they can detect RFID chips. They will only hum like they are zapping a chip. :-)
Good locks usually cost lots of money. This is a source for a high quality S&G padlock: http://www.galleria-e.com/cgi-bin/Colemans.storefr ont/en/product/112801
This lock uses Medeco blanks that are restricted so you won't be able to get extra keys. The keys are marked military property. This could get you in trouble in the wrong situation. Also the locks are so big that the holes on most hasps are too small to hang the lock. I believe the locks were originally used with a steel cover (not sold) that had a balanced magnetic sensor for setting off an alarm before the lock could be accessed.
It is insane to transport a laptop in checked luggage. There are a number of very good reasons.
Batteries: I would much rather have burning laptops as carry on luggage where the problem can be quickly dealt with vs. in a cargo hold where the entire plane might be lost to a fire. Checked luggage is extremely abused. While doing telecom work in airports, I've seen handlers pull cases off of carts that were stacked higher than their heads and just let them drop to a concrete floor. I don't care how a laptop is packed; this kind of treatment could easily compromise the integrity of a battery pack. Is your case designed for a 2 m drop? Did the drop prime the battery for the next pressure change?
Anything with a high-energy battery: Cameras, Laptops, PDAs, and phones should be carry on only.
Data protection: Encryption is great but there are real industrial spies. Sensitive data should never be out of your reach in a plane or hotel. A key logger can easily take your password. You're a little better off if the key is on a smart card that is carried with your credit cards.
Theft: My last employer had a policy that you would be charged for lost laptops if they were lost from a car, hotel, or checked luggage. I've had gear taken from locked closets behind airport security. I hope you have a low deductible on your insurance if you check your laptop.
Don't forget the class of things we "know we can't know"
Flawed designs are so common. I've been there too. "You can't hash the passwords because it would be hard to test" or "Https won't be supported because certificates are hard to load and no one will see the basic authentication login". Sometimes is seems like everyone is conspiring to make bad systems. A perfect ID would probably be vetoed by agencies that don't want accountability.
A good user interface, on the inspector's terminal, can reduce the problem of being to lazy to compare the pictures. Have two keys: pictures match face or they don't. A random false picture from a cache can be occasionally displayed. If the inspector enters OK, a big booming voice says you're fired. If No is entered, the correct picture is loaded and the inspector can check again.
You don't want to use standard Velcro in low gravity. It throws off chaff that presents an inhalation and eye hazard.
Is WiFi even usable in a codo complex? I have a client who gave up on 802.11b/g. It worked for a few years but now there are about 20 AP at any time and it is totally unusable.
I just purchased two Nokia E61 phones. I'm generally happy with the product especially the WiFi support and lack of a camera. The price and documentation could be better. I am currently having problems with getting the VPN client to work. The device seems to require a Nokia NSSM policy server to deliver the IPSec parameters. It lacks a user interface to manually enter the parameters. I'm upset enough about the required policy server that I probably won't ever use or specify a Nokia firewall. If anyone knows how to manually create and install a policy, I would appreciate a pointer.
If any change is going to happen the $400k bill needs to be mailed around November 1st.
With the DMCA and the broadcast flag it will be illegal to save a copy. So even after the broadcast rights expires in 50 years, copies will still be unavailable thus making copyrights perpetual constitutional or not. Just broadcast again in 49 years to get another renewal. If someone proves it's identical they must have violated the DMCA.
Someone I know was interviewing for a federal job. He was asked if he had sold his gun. A year earlier he had asked for pricing advice on a forum. Don't submit anything that you wouldn't want to see in the newspaper.
What is the right solution for email encryption?
:-)
Should I use pgp/gpg with some type of plug-in or the s/mime ssl option built into many email clients?
Most people don't seem to want to install anything so I am leaning towards ssl but in the past I have had compatibility issues between Netscape/Mozilla and MS Outlook.
If I chose ssl, I need to pick a certificate authority. In the past I have made and importing my own CA into the browsers but I have had problems with certificate fingerprint differences between Thunderbird and Outlook. When the certificate fingerprints don't match, I'm left wondering if there is a man-in-the-middle or a software incompatibility. An active middle is unlikely - but my opinion is changing with current events.