"You do know that has nothing to do with the server itself right?"
Do you have any citations for that?
'A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients'
What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks..
"When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together"
It's the consumers who pay for it with higher charges to pay for things like the chip-and-pin upgrade. Similar to how the consumers pay for shop-lifting..
This was done intentionally by Microsoft, even going so far as making important components like Explorer depend on it
Back in 1995, this was very important to getting the Internet to the users and people seem to forget that
Microsoft's decision to 'extend' HTML and embed Internet Explorer in the OS had nothing to do with 'getting the Internet to the users' and everything to do with sabataging third party applications, and is the root cause of the current malware infestation. If Microsoft was in the vanguard of 'getting the Internet to the users', then why did they attempt to buyout Netscape?
It is not very comforting to read the following statement:
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
It goes on to say:
We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it"
"Look, you choose to use an operating system built by essentially hobbyists in their spare time... And yes, I do contribute to the free operating system I use in production environments--FreeBSD. I've contributed many ports to build and install CPAN modules"
"I'd just like to echo what a few other posters have suggested: stick with AD for now and migrate to Samba4 when it matures.. Samba4 will be a great drop-in replacement for AD but it's still some way away from being properly production-ready"
'In short, you can join a WinNT, Win2000, WinXP or Win2003 member server to a Samba4 domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable'
Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
"OpenLDAP is too plain and simple.. There are no GUI tools.. I even created one"
What was this tool you created called, is there a copy online anywhere? What's difficult about a Unix admin setting up a script. And you don't have to use the CLI for everything, you put it in a script and let the machine do it.
"you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory"
'These problems have been solved by using OpenLDAP and Samba TNG software'
"ADS hides replication from you (accessible through Sites and Services snap-in though)"
It really amazes me how MS releases a utility with most of the core components missing and then charges you more for the 'snapins'.
"There are far too many vulnerabilities in office docs, and no way for me to lock those programs down"
I do this, set the msWord Viewer as the default for opening msWord docs, set normal.dot as readonly and use Open Office for editing msWord docs. Use Firefox and noscript for browsing and use anything but Outlook for email.
"Ok, you've got open LDAP authentication.. You're also missing Group Policy"
It really amazes me that Windows users need so many 'tools' for ding the simplest thing. The standard Linux directory structure allows for setting access to directories under a per group basis. Users can be members of a number of groups. All you have to do is set some rights on a directory.
"Ok, you can do security updates. How about deploying software? What about configuring policies for things like disabling CD-ROM drives, enforcing screensaver timeouts, etc."
Disabling CD-ROM drives is the same as setting access rights on a directory. See, no special 'tool' to do the job. All you do is set owner of the CD-ROM to group cdusers and deny access to all others. Similar for USB access.
"We have 13 servers and over 100 individual pieces of software"
Jeez, sounds a bit over designed for a few autocad drawings..:)
"our IT team is essentially two people"
Given the size an complexity of your network that does surprise me. I have worked in a f400 international consultancy where they had an IT dept consisting of twelve people on the helpdesk, a senior IT manager, a networking guy, and someone who traveled round the building with a case load of install CDs. Reinstalling was such a regular occurrence, that they set up a dedicated Ghost server. Each desktop station had two Ethernet connections, one for the Internet and one directly connected to the Ghost server, plug in the Ghost server and reboot and in went into install mode.
The support staff spent most of their time remaking Exchange profiles. Every so often the Fax server and printers would go offline, and no one could figure out why?
"and we have enough free time to do things properly, actively planning and testing projects for future deployment"
I have a box running openSuSE 9.0 as a SMB server, I haven't had to touch it on over ten months...
Same with open sourcing Java, the boat has long left the pier. What sun should concentrate on is making a combined multimedia stack, from the desktop to the server to deliver games and video to the next generation of Internet users. Do a deal with the content owners, the telecom companies and the combined whole could be a massive revenue earner. are you listening, Scott McNealy
'all Office Documents are quarantined before manual release'
Do you really expect us to believe that the only secure way of accessing an Office Doc is to quarantine it. I thought you had the system totally locked down and AV on all desktops?
"it would take a lot longer to get this network working under linux than windows"
I thought Linux did networking as well as Unix, what do your servers/routers/switches/firewall run on?
"the couple of dozen specialist apps that simply don't exist in Linux"
What are those specialist apps. Do you mind telling me what sector your business is in?
"I'm not aware of anything that as easy to use and effective as group policy for securing computers and deploying software"
"Our protection against viruses is pretty thorough, and.. filtered.. firewall.. CD-ROM.. USB drives.. Autorun.. Downloads of executables.. is disabled.. Emails.. filtered.. Office Documents are quarantined.. AV on all desktops.. takes under a single man hour each day for the IT department to manage.."
When do you get the time to do any actual real work. Wouldn't it be simpler to run a Linux distro, all you have to do to protect the system is - nothing...
Of course, in order to protect our children from porn, they'll have to monitor all our online access. Instead of mandating the web sites put porn tag in the Metadata, that way we can decide for ourselves what web site to look at..:)
Slashdot Mirror
I like OO.o except except it doesn't have $RANDOM feature ..
DEF $RANDOM = go to www.oooforum.org/some issue ....
"You do know that has nothing to do with the server itself right?"
Do you have any citations for that?
'A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients'
What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks ..
"When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together"
..
It's the consumers who pay for it with higher charges to pay for things like the chip-and-pin upgrade. Similar to how the consumers pay for shop-lifting
Partner profile
'The LDS Church .. are considering Mandrake, Debian, Red Hat and Open Office'
'each subsidiary should have a method to track Linux threats and that these should be reported back to Redmond'
link
link
link>
Back in 1995, this was very important to getting the Internet to the users and people seem to forget that
Microsoft's decision to 'extend' HTML and embed Internet Explorer in the OS had nothing to do with 'getting the Internet to the users' and everything to do with sabataging third party applications, and is the root cause of the current malware infestation. If Microsoft was in the vanguard of 'getting the Internet to the users', then why did they attempt to buyout Netscape?
"the fact that Windows has had a media player since 1992, long before Real and the other moaners came along"
It says here that Microsoft released ActiveMovie in 1996 and Quicktime came out in 1991.
"Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually .."
..
Generally, GUI config tools get in the way, editing the dreaded config file is simpler and more straight forward.
"and samba did not respond properly to the config"
What you mean is you don't understand SAMBA enough to configure it
"Not sure if samba needs root for anything other than binding to the ports it uses and accessing files as specific users"
Yea, I think he needs to RTFM
It is not very comforting to read the following statement:
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
It goes on to say:
We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it"
I like Samba 4 except it doesn't have $RANDOM feature :)
I guess since it's not using billgs OS, the tech press will have to rubbish it ..
If Vista isn't a turkey then did Microsoft deem it necessary to produce Windows 7 ?
"Look, you choose to use an operating system built by essentially hobbyists in their spare time. .. And yes, I do contribute to the free operating system I use in production environments--FreeBSD. I've contributed many ports to build and install CPAN modules"
Is this a sample of the hobbyist system?
Do you mind providing a link to these ports?
"The story *DOES NOT* say that Silver light will be used exclusivly accross all channels"
Where does it say it is going to be streamed for non-Windows players?
'Donors with ties to Microsoft are among the biggest backers of President-elect Barack Obama's inauguration'
'Donors with ties to Microsoft are among the biggest backers of President-elect Barack Obama's inauguration'
"I'd just like to echo what a few other posters have suggested: stick with AD for now and migrate to Samba4 when it matures .. Samba4 will be a great drop-in replacement for AD but it's still some way away from being properly production-ready"
'In short, you can join a WinNT, Win2000, WinXP or Win2003 member server to a Samba4 domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable'
Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
"OpenLDAP is too plain and simple .. There are no GUI tools .. I even created one"
What was this tool you created called, is there a copy online anywhere? What's difficult about a Unix admin setting up a script. And you don't have to use the CLI for everything, you put it in a script and let the machine do it.
"you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory"
'These problems have been solved by using OpenLDAP and Samba TNG software'
"ADS hides replication from you (accessible through Sites and Services snap-in though)"
It really amazes me how MS releases a utility with most of the core components missing and then charges you more for the 'snapins'.
"There are far too many vulnerabilities in office docs, and no way for me to lock those programs down"
.. You're also missing Group Policy"
.. :)
...
I do this, set the msWord Viewer as the default for opening msWord docs, set normal.dot as readonly and use Open Office for editing msWord docs. Use Firefox and noscript for browsing and use anything but Outlook for email.
"Ok, you've got open LDAP authentication
It really amazes me that Windows users need so many 'tools' for ding the simplest thing. The standard Linux directory structure allows for setting access to directories under a per group basis. Users can be members of a number of groups. All you have to do is set some rights on a directory.
http://www.freeos.com/articles/3127/
"Ok, you can do security updates. How about deploying software? What about configuring policies for things like disabling CD-ROM drives, enforcing screensaver timeouts, etc."
Disabling CD-ROM drives is the same as setting access rights on a directory. See, no special 'tool' to do the job. All you do is set owner of the CD-ROM to group cdusers and deny access to all others. Similar for USB access.
"We have 13 servers and over 100 individual pieces of software"
Jeez, sounds a bit over designed for a few autocad drawings
"our IT team is essentially two people"
Given the size an complexity of your network that does surprise me. I have worked in a f400 international consultancy where they had an IT dept consisting of twelve people on the helpdesk, a senior IT manager, a networking guy, and someone who traveled round the building with a case load of install CDs. Reinstalling was such a regular occurrence, that they set up a dedicated Ghost server. Each desktop station had two Ethernet connections, one for the Internet and one directly connected to the Ghost server, plug in the Ghost server and reboot and in went into install mode.
The support staff spent most of their time remaking Exchange profiles. Every so often the Fax server and printers would go offline, and no one could figure out why?
"and we have enough free time to do things properly, actively planning and testing projects for future deployment"
I have a box running openSuSE 9.0 as a SMB server, I haven't had to touch it on over ten months
Same with open sourcing Java, the boat has long left the pier. What sun should concentrate on is making a combined multimedia stack, from the desktop to the server to deliver games and video to the next generation of Internet users. Do a deal with the content owners, the telecom companies and the combined whole could be a massive revenue earner. are you listening, Scott McNealy
'all Office Documents are quarantined before manual release'
Do you really expect us to believe that the only secure way of accessing an Office Doc is to quarantine it. I thought you had the system totally locked down and AV on all desktops?
"it would take a lot longer to get this network working under linux than windows"
I thought Linux did networking as well as Unix, what do your servers/routers/switches/firewall run on?
"the couple of dozen specialist apps that simply don't exist in Linux"
What are those specialist apps. Do you mind telling me what sector your business is in?
"I'm not aware of anything that as easy to use and effective as group policy for securing computers and deploying software"
http://www.linuxjournal.com/article/6266
http://en.wikipedia.org/wiki/OpenLDAP
http://www.bayour.com/LDAPv3-HOWTO.html
http://www.howtogeek.com/howto/ubuntu/configure-how-often-ubuntu-checks-for-automatic-updates/
"I think you'd be surprised just how low maintenance this lot is"
I am surprised as my personal experience is a bit different
"patching software is something we can do in our own sweet time"
What else do you do apart from locking down and patching?
"Our protection against viruses is pretty thorough, and .. filtered .. firewall .. CD-ROM .. USB drives .. Autorun .. Downloads of executables .. is disabled .. Emails .. filtered .. Office Documents are quarantined .. AV on all desktops .. takes under a single man hour each day for the IT department to manage .."
When do you get the time to do any actual real work. Wouldn't it be simpler to run a Linux distro, all you have to do to protect the system is - nothing ...
Of course, in order to protect our children from porn, they'll have to monitor all our online access. Instead of mandating the web sites put porn tag in the Metadata, that way we can decide for ourselves what web site to look at .. :)